Content Security Policy
Set up and enforced via Cloudflare.

We audit what your client's site actually loads, build a policy around it, and enforce it at the Cloudflare edge. Full security header suite included. Flat $77. Requires Cloudflare.

TL;DR
A properly enforced Content Security Policy blocks XSS attacks and unauthorized resource injection at the browser level. We set it up in report-only mode first to capture everything the site loads, then build the enforcement policy and deploy it via Cloudflare Transform Rules alongside the full security header suite.
  • Report-only audit first, enforcement after
  • All third-party scripts and services accounted for
  • Full security header suite set in the same session
  • Deployed at the Cloudflare edge, works on any stack
$77
flat rate per domain
Book a Session

Who this is for

Web designers and agencies whose clients need stronger security posture, pass security audits, or meet compliance requirements.

Client failed a security audit and CSP is flagged as missing
Security scans and penetration tests routinely flag missing or unenforced CSP headers. We set up a real enforcement policy, not just a header that passes the scanner while doing nothing.
Client site was compromised via script injection
A CSP is one of the most effective defenses against XSS and malicious script injection. If the site was hit once, a properly enforced policy makes the same attack much harder to repeat.
You want to harden a client site without touching the hosting or code
Because this is done entirely at the Cloudflare edge via Transform Rules, there is nothing to install, no plugins, no server config changes. The site just gets more secure headers on every response.
Client handles sensitive data and wants stronger browser-level protection
Healthcare, legal, finance, and eCommerce clients often want or need to demonstrate security controls. A deployed and enforced CSP with accompanying security headers is a concrete, verifiable control.
You tried setting up a CSP yourself and it broke the site
A CSP that blocks legitimate scripts takes the site down. The report-only audit is what prevents that. If you have attempted it before and ran into problems, that is exactly what this session fixes.
Client's site is already on Cloudflare and you want to add security headers
If the site is already behind Cloudflare, adding the full security header suite via a Transform Rule takes one session. The CSP policy is the most complex part. The rest of the headers go in the same rule.

What gets set up in the session.

One Cloudflare Transform Rule. Full enforcement. All security headers in one place.

Content-Security-Policy (enforced)
Built from a report-only audit so every legitimate source is accounted for before enforcement. Blocks unauthorized scripts, styles, frames, and connections at the browser level.
X-Frame-Options
Set to SAMEORIGIN to prevent the site from being embedded in iframes on other domains. Blocks clickjacking attacks.
Permissions-Policy
Disables browser features the site does not use: camera, microphone, geolocation, accelerometer, and more. Reduces attack surface and third-party API access.
Referrer-Policy
Set to strict-origin-when-cross-origin so the full URL is not leaked to third-party sites in referrer headers.
Strict-Transport-Security (HSTS)
Enforces HTTPS for one year with subdomains included and preload ready. Prevents protocol downgrade attacks and cookie hijacking over HTTP.
X-Content-Type-Options and X-Powered-By removal
Nosniff set to prevent MIME-type sniffing attacks. X-Powered-By removed so the server tech stack is not advertised in response headers.
Requires Cloudflare
This service is done via Cloudflare Transform Rules. The client domain must be on Cloudflare. Not on Cloudflare yet? See Cloudflare setup first.
Cloudflare Setup

The agencies we work with. Now they’re heroes.

What agency partners say about working with us.

"I run a full scale digital marketing agency and have been using Troy for over 10 years now. Whenever we run into server, email, high level tech or website issues, he is the guy that takes care of it for us."

Jason FillerVision Fillers • Digital Marketing Agency

"As our agency grew, so did the support tickets! Troy has helped us handle DNS and firewall issues, random plugin conflicts, migrations, email authentication and more. R5 loves counting Troy as part of the team!"

Austin ReasonR5 Website Management

"I watched my malicious login attempts drop to zero almost immediately after implementing Troy’s WAF rules. Game changer."

Craig CarusoAgency Owner

"Troy literally saved all my sites from an attack. His Cloudflare setup is the reason they survived. I cannot recommend him enough."

Howard SpaethH Grant Designs

"Those moments I just love having Troy in my back pocket. When a client site is on fire and you have a timer ticking, knowing we can call someone who picks up and fixes it is everything."

Yvonne HeimannAsk YVI

"I’m comfortable with most things DNS, but when I needed to implement SPF, DKIM and DMARC records, Troy’s guidance made it straightforward."

Christian van ’t HofBrightsol

How the CSP session works

Report-only mode firstWe deploy a Content-Security-Policy-Report-Only header via Cloudflare. This logs every resource the site tries to load without blocking anything. We use the browser console and violation reports to capture the full picture of what the site needs.
Build the enforcement policyWe take every legitimate source captured in report-only mode and build it into the enforcement policy. Google Analytics, GTM, Facebook Pixel, YouTube embeds, fonts, reCAPTCHA, chat widgets: every third-party service the site uses gets added to the correct directive.
Deploy enforcement and all security headersWe switch from report-only to enforcement and add the full security header suite in the same Cloudflare Transform Rule. We test the site across key pages before closing. Every page on the domain gets the headers on every response, automatically, at the edge.

One session. Full enforcement.

Flat rate. No retainers. Requires Cloudflare.

Security Headers
CSP and Security Header Setup

We audit the site in report-only mode, build a full enforcement CSP, and deploy it alongside the complete security header suite via Cloudflare Transform Rules.

  • Content-Security-Policy (enforced)
  • X-Frame-Options, Permissions-Policy, Referrer-Policy
  • HSTS with subdomains and preload
  • X-Content-Type-Options, X-Powered-By removed
  • All set via Cloudflare Transform Rules
  • White label. Your client never knows we were there

Flat fee per domain. Requires Cloudflare. If not on Cloudflare yet, book setup first.

$77
Book CSP Setup
100% money back if we cannot set it up

Frequently Asked Questions

Common questions about CSP setup.

Does my client need to be on Cloudflare?
Yes. We deploy the CSP and all security headers via Cloudflare Transform Rules, which modify response headers at the edge before they reach the browser. This works for any site behind Cloudflare regardless of hosting or tech stack. If your client is not on Cloudflare yet, see our Cloudflare setup service first.
Will this break my client's site?
We audit in report-only mode first, which logs violations without blocking anything. Once we know exactly what the site loads, we build the enforcement policy around those sources. We test before closing the session. Breaking the site is how a CSP is done wrong. It is not how we do it.
What about third-party scripts like Google Analytics, Facebook Pixel, or chat widgets?
Those are exactly what report-only mode catches. We identify every external script, style, and frame the site loads, then add the correct sources to the policy. Google Analytics, GTM, Facebook, reCAPTCHA, YouTube embeds, Vimeo, and other common third parties are all handled in the policy we build.
What is included beyond the CSP?
We set the full security header suite in the same Cloudflare Transform Rule: X-Frame-Options (SAMEORIGIN), Permissions-Policy, Referrer-Policy (strict-origin-when-cross-origin), HSTS with preload, X-Content-Type-Options (nosniff), and X-Powered-By removed.
Do I need to do anything after the session?
No. The headers are set at the Cloudflare edge and apply to every page automatically. If the site adds new third-party scripts later, those will need to be added to the policy. That is a quick follow-up session.

Give us a call or submit a ticket.

Not sure if the site qualifies or want to talk through it first? Call or submit a ticket and we will let you know.

Mon – Fri, 9am – 5pm ET
or submit a ticket anytime

Confidential. We never contact your clients directly.

Submit a Support Ticket

Tell us the domain and whether it is already on Cloudflare. We will confirm scope and get you booked.

  • Tell us the domain and confirm it is on Cloudflare
  • We book the session and send a prep checklist
  • We handle it. Your client gets a more secure site
Open a Support Ticket

Confidential. We never contact your clients directly.

Have a question?
100% human. 0% robot. Results may vary. 😄