CSP for Healthcare Sites: HIPAA-Safe Tradeoffs
Healthcare websites are awkward from a CSP perspective. You need strong browser-side protections because patient portals, appointment forms, billing pages, and telehealth flows are juicy targets for XSS and data exfiltration. But the same sites also tend to be loaded with analytics, consent tools, scheduling widgets, chat vendors, CDNs, and old CMS fragments that fight every strict policy you try to deploy. And then HIPAA changes the stakes. A normal marketing site can shrug off some tracking sprawl and say “we’ll clean it up later.” A healthcare site that leaks PHI through JavaScript, third-party requests, or embedded tools is in a much worse spot. ...