The default JekCMS CSP includes 'unsafe-inline' for both scripts and styles. This is intentional: the admin panel uses inline event handlers in several components, and the default themes inline critical CSS for performance reasons. Before tightening the policy, audit both the admin panel and your active theme by running the site with a strict CSP in report-only mode and reviewing the violation reports.

Self-Hosting Fonts Removes Two Directives

Fonts loaded from Google Fonts require two directives: font-src fonts.gstatic.com and style-src fonts.googleapis.com. If you switch to self-hosted fonts — which we recommend for both privacy and performance — you can replace both with 'self' and remove the external font dependencies entirely. JekCMS's default Trends theme ships with self-hosted Inter subsets that cover Latin and Turkish character ranges.

Explicit img-src Enumeration

The img-src directive needs to include every external domain from which your content loads images. A common mistake is setting img-src https: to allow any HTTPS image source — this defeats most of the CSP's value for image-based attacks. Enumerate your actual image sources explicitly: img-src 'self' cdn.yoursite.com data:.

Always Start in Report-Only Mode

Start with Report-Only mode before enforcing: set Content-Security-Policy-Report-Only with a report-uri pointing to a collection endpoint. The free tier of report-uri.com works well for small sites. Collect violations for at least a week before switching to enforcing mode — weekend traffic often exercises code paths that weekday monitoring misses.