Is the free audit really free?

Yes, completely free. Just enter your URL — no account, no email, no credit card. You get your overall score and top issues instantly. Want more? Create a free account to save your report and get 2 pro scan credits.

How long until I get my report?

The Quick Scan is typically under 60 seconds. Paid reports are generated and emailed within 2–3 minutes of payment.

9 categories: SEO & Search Visibility, Website Performance & Speed, Mobile Experience, Security & Privacy, Accessibility, Content & Messaging, Technical Health, Trust & Credibility, and Local SEO & Google Business. Each category is scored independently, and we provide specific evidence and fix instructions for every issue found.

Do I need technical knowledge?

Not at all. Reports are written in plain language with prioritized, step-by-step recommendations. Each issue is labeled with who can fix it, and many are things you can do yourself without touching code.

How accurate is the analysis?

We analyze your actual live website, checking real page speed, real HTML structure, and real content. Every finding comes with specific evidence from your site, so you can verify it yourself.

Absolutely. We only use your email to deliver your report. No spam, no sharing with third parties. We analyze publicly accessible pages (the same thing Google sees). We never store passwords, we don't access admin panels, and we never sell your data. All connections are encrypted with 256-bit SSL. See our Privacy Policy for full details.

Can I see a sample report before buying?

Yes! Check out our interactive demo report to see exactly what a full audit looks like, with real findings, evidence, and fix instructions you can explore.

How do I cancel my subscription?

You can cancel anytime from your dashboard. Just click "Manage Subscription" to open the billing portal. Your audit access continues until the end of your current billing period.

Who built FreeSiteAudit?

FreeSiteAudit was built by web professionals who wanted to make professional-grade website audits accessible to every business owner. We combined real-world SEO and web development experience with automation to deliver clear, actionable reports.

May 27, 2026·12 min read

Content Security Policy for Non-Developers: A Plain-English Guide

What CSP is, why small business sites need one, and how to add basic protection in report-only mode without breaking checkout, forms, or third-party widgets.

# Content Security Policy for Non-Developers: A Plain-English Guide

If you run a small business website and you've heard the phrase "Content Security Policy" tossed around by a developer, a security scanner, or your hosting provider, you probably nodded politely and hoped it would go away. It won't. CSP is one of the most effective ways to stop a hacked site from stealing your customers' credit card numbers, hijacking your contact forms, or showing visitors fake login pages.

This guide is written for the person who owns the site, not the person who codes it. By the end, you'll know what CSP does, when you actually need it, how to add a basic one without breaking your site, and what to do when something does break.

What CSP Actually Does (in One Paragraph)

Your website loads stuff from lots of places. Your own server hosts the main pages, but Google Analytics tracks visitors, Stripe handles payments, a chat widget chats, Mailchimp captures emails, and maybe a Facebook pixel runs in the background. Each of those is a "source." A Content Security Policy is a short list of approved sources you give the browser. The browser then refuses to load anything that isn't on the list. If an attacker manages to inject a sneaky script tag onto your contact page, the browser sees the script came from a domain you never approved, and blocks it. That's the entire point.

Why a Small Business Site Needs This

You might think CSP is for banks and enterprise platforms. It isn't. The most common targets of script injection are not big companies with security teams. They are small business sites running outdated WordPress plugins, abandoned Shopify themes, or custom code written by a contractor three years ago. Attackers scan the web automatically. If your site has a known vulnerability, you will be found.

Without CSP, an attacker who finds even a tiny opening can:

Inject a fake checkout form that captures credit card details
Load a cryptocurrency miner that runs while customers browse
Redirect mobile visitors to a phishing page
Steal session cookies and impersonate logged-in users
Replace your contact form with one that emails leads to a competitor

With a properly configured CSP, most of those attacks fail silently in the browser. The injected script tries to load, the browser checks the policy, and the load is refused.

The Two Ways CSP Gets Delivered

There are two technical ways a CSP reaches the browser, and you should know the names because your hosting support team will use them.

HTTP header: The server sends a Content-Security-Policy header with every page response. This is the preferred method.

Meta tag: A tag is added in the page's HTML head. This works for static sites or platforms where you can't easily edit headers, but it's slightly less powerful (some directives like frame-ancestors are ignored) and slightly slower, because the browser has already started parsing before it sees the rule.

Most managed platforms — Shopify, Squarespace, Webflow, modern WordPress hosts — let you set headers either through a settings panel or through a plugin. If yours doesn't, the meta-tag approach still works.

The Anatomy of a CSP, Without the Jargon

A CSP is a single line of text made up of "directives." Each directive tells the browser what's allowed for one type of resource.

Here is a beginner-friendly example for a typical small business site that uses Google Analytics, Stripe, and a Mailchimp form:

default-src 'self';

script-src 'self' https://www.googletagmanager.com https://js.stripe.com;

style-src 'self' 'unsafe-inline';

img-src 'self' https: data:;

connect-src 'self' https://www.google-analytics.com https://api.stripe.com;

frame-src https://js.stripe.com;

font-src 'self' https://fonts.gstatic.com;

Translated line by line:

default-src 'self' — By default, only allow stuff from my own domain.
script-src — Allow scripts from my domain, Google Tag Manager, and Stripe.
style-src — Allow stylesheets from my domain and inline