Simple GDPR Lockdown

GDPRJavascriptprivacy

When the GDPR privacy regulations came into effect, a lot of the discussion focused on consent banners, privacy policies, and legal obligations.

What received less attention was the practical reality of implementation.

I suspect many of the pundits had never tried auditing a large website. It’s surprisingly difficult.

Most sites accumulate years of third-party scripts, tracking pixels, widgets, embeds, analytics tools, advertising integrations, social sharing buttons, and assorted bits of JavaScript that nobody remembers adding in the first place.

Before you’ve even started thinking about compliance, you first have to figure out what is actually running on your pages.

So rather than attempting to immediately untangle years of accumulated code, how about approaching the problem from the opposite direction?

Create something similar to an ad blocker that only allows resources you’ve explicitly approved.

It’s actually not that hard, and it’s surprisingly powerful.

Three words: Content. Security. Policies.

The HTTP Content-Security-Policy response header provides control over the resources a browser is allowed to load. It was originally designed as a defense against cross-site scripting attacks- but happens to be very useful for restricting third-party resources.

Modern browsers support CSP via HTTP headers and META tags, making it possible to implement a simple whitelist-based approach without major architectural changes.

I’ve put together a basic implementation here:

https://github.com/donohoe/simple-gdpr-lockdown/

The one critical dependency is being able to determine a visitor’s country and whether they fall under the regulations you’re targeting.

As a short-term measure, this approach can help reduce risk while you work through the codebase, business rules, and technical archaeology that have accumulated over the years (or decades).

Pull Requests welcome.