[tptacek]

The difference between CSP and compression, firewall rules, and caching are that CSP alters the way the application works, and the others don't. I've seen drama just in getting modsecurity deployed, and modsecurity is much less intrusive than CSP.

[jfager]

We're talking about bits an admin can flip to get fired, aren't we? To that question, I don't really see what you get from the distinction...