Using Content Security Policy (CSP) with Cloudflare

Ensure your Content Security Policy is compatible with Cloudflare features such as Rocket Loader, Mirage, Apps, Scrape Shield, and Browser Insights.


Overview

Content Security Policy (CSP) approves the content origins loaded by a web browser.  A correctly configured CSP secures against: 

  • content/code injection, 
  • cross-site scripting (XSS), 
  • embedding of malicious resources, and
  • malicious iframes (clickjacking). 

Cloudflare’s CDN is compatible with CSP and does not modify CSP headers from the origin web server. Cloudflare doesn’t require changes to acceptable sources for your website’s content or third-party content used by your website. Cloudflare does not modify any URLs and does not interfere with locations specified in your CSP. 


CSP compatibility with Cloudflare features

To properly utilize certain Cloudflare features, update your CSP headers:

script-src 'self' ajax.cloudflare.com;

script-src 'self' ajax.cloudflare.com;

script-src 'self' 'unsafe-inline'

script-src 'self' static.cloudflareinsights.com;


Related resources

Refer to these guides for writing CSPs that are compatible with various browsers:

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk