How to Implement Strict Content Security Policies (CSP) on Web
Designed for Senior frontend developers in fast-scaling SaaS companies, tasked with hardening application security while maintaining rapid release cycles. to spark real collaboration and high-energy learning.
A 90-minute hybrid workshop, mixing in-person and remote participants. Developers are under pressure to deliver secure apps quickly but struggle with balancing CSP strictness with usability. They frequently encounter broken scripts, misunderstood policy errors, and conflict with product teams over feature rollouts.
CSP Puzzle Reveal
Kick off by presenting a snippet from a popular site’s CSP headers, but redact the directive names. Ask participants to guess what each policy piece aims to block or permit. It’s a curiosity-driven decode game that turns abstract policy jargon into concrete defensive moves.
Tap to view the full activity.
Why this works
This approach leverages active recall and knowledge gaps to stimulate curiosity and motivation; decoding real CSPs primes learners for deeper dives.
CSP Mythbusters Blitz
Rapid-fire polling: Present common misconceptions about CSP (e.g., 'CSP only protects against XSS') and let participants vote True/False. After each vote, clarify the misconception and show counterexamples from the wild.
Tap to view the full activity.
Why this works
Revealing misconceptions sets the stage for deep learning by confronting false confidence and clarifying foundational facts.
Clipboard CSP Quick-Share
Ask everyone to paste a CSP snippet they’ve worked with (or seen) into a shared doc or chat. No judgment, no deep-dive—just a quick, low-pressure sharing moment. Highlight a couple of unique or common finds and ask, 'What’s the trickiest part here?'
Tap to view the full activity.
Why this works
Low-stakes sharing encourages participation from quieter members; it validates diverse experiences and builds peer learning.
CSP Break-Fix Relay
Divide participants into small teams. Each team gets a broken CSP scenario (e.g., blocked scripts, unexpected errors). They compete to fix the policy in under 4 minutes and then explain their solution to the room. Fast, active, and slightly competitive!
Tap to view the full activity.
Why this works
Group problem-solving and competition boost energy, reinforce collaboration, and drive concrete troubleshooting skills.
Release Dilemma: Dev vs Security
Present a dilemma: Product devs want to roll out a new feature requiring third-party scripts, but the security team insists on a strict CSP. Split into two sides and debate: Should the CSP be relaxed, or is there a workaround? Use real Slack messages from an anonymized company to anchor the debate.
Tap to view the full activity.
Why this works
Real-world dilemmas drive engagement, empathy, and critical thinking; participants see both technical and interpersonal complexity.
Personal CSP Action Plan
Wrap up by asking each participant to write a 3-step plan for implementing stricter CSPs in their own projects. Prompt: 'What will you do differently next week?' Encourage sharing and reflection on blockers or support needed.
Tap to view the full activity.
Why this works
Personal reflection deepens learning and commitment; concrete planning drives transfer to real-world application.
Sign up to unlock 3 more activities
Get the full pack, facilitation flow, and more ready-to-run ideas.