Simple GDPR Lockdown

May 26th, 2018

There was a certain level of mis-information and mis-understanding regarding the EU privacy regulations that came into law.

I would argue that there are a lot of pundits who have no idea how difficult it is to audit your own site to find all the strange and obscure third-party vendors and scripts it pulls in and insert onto your pages. And thats a whole ton of upfront work before you've even figured how to remove, sanitize, or replace them.

Instead, how about you create something similar to an ad-blocker that only affects things you don't explicitly white-list? Its actually not that hard, and quite powerful too.

There words: Content. Security. Policies.

The HTTP Content-Security-Policy response header provides control over the resources the user agent is allowed to load. It was originally envisioned to guard against cross-site scripting attacks.

It is also available as a META tag to all modern browsers (sorry, no Internet Explorer). I've put together a very simple implementation that ties all these things together.

The one critical dependency is that you are able to tell what country your visitors is from and whether that is part of the EU or not.

In the short-term it allow you to be compliant while you dig into the codebase and obscure business rules that have accumulated over the years (or decades).

Pull Requests welcome.