Content Security Policies (CSPs)
A Content Security Policy (CSP) is an added layer of security that helps detect and mitigate certain types of attacks, including:
- Content/code injection
- Cross-site scripting (XSS)
- Embedding malicious resources
- Malicious iframes (clickjacking)
To learn more about configuring a CSP in general, refer to the Mozilla documentation ↗.
Cloudflare’s CDN is compatible with CSP.
Cloudflare does not:
- Modify CSP headers from the origin web server (except when using Zaraz, to ensure the Zaraz script is always running ↗).
- Require changes to acceptable sources for first or third-party content.
- Modify URLs (besides adding the
/cdn-cgi/
endpoint and Cloudflare Fonts that rewrites Google Fonts urls). - Interfere with locations specified in your CSP.
If you require the CSP headers to be changed or added, you can change them using some Cloudflare products:
- If your website is proxied through Cloudflare, you can use a Response Header Modification rule to modify or add CSP headers.
- If your website is hosted using Cloudflare Pages, you can set a
_headers file
to modify or add CSP headers.
To use certain Cloudflare features, however, you may need to update the headers in your CSP:
Feature(s) | Updated headers |
---|---|
Rocket Loader, Mirage | script-src 'self' ajax.cloudflare.com; |
Cloudflare Apps ↗, Scrape Shield | script-src 'self' 'unsafe-inline' |
Web Analytics | script-src static.cloudflareinsights.com; connect-src cloudflareinsights.com |
Bot products | Refer to JavaScript detections and CSPs. |
Page Shield | Refer to Page Shield CSP Header format. |
Zaraz | No updates required (details ↗). |
Turnstile | Refer to Turnstile CSP. |