What is Content Security Policy (CSP), and how can I use it with CloudFlare?

What is Content Security Policy?

Content Security Policy (CSP) is a web standard that grants web developers additional control over what locations a client browser is permitted to load resources from/what other sites are allowed to interact with the developer’s site. For example, a developer could specify that any content type is safe to load from their own site, and additionally that images may be loaded from any domain and that JavaScript libraries and scripts may only be loaded from a separate trusted, verified third party domain, with this sample policy:

default-src 'self'; img-src *; script-src https://userscripts.example.com

Why would I use Content Security Policy?

A correctly configured policy affords you and your users additional security against certain attacks. Commonly, it can be used to prevent and/or mitigate attacks that involve content/code injection, such as cross-site scripting/XSS attacks, attacks that require embedding a malicious resource, attacks that involve malicious use of iframes, such as clickjacking attacks, and others. More generally, it allows you to control where content displayed by clients visiting your site can be loaded from.

How can I write one?

Example use cases and policy can be found at https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Using_Content_Security_Policy

http://w3c.github.io/webappsec-csp/ and https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives provide more complete descriptions of directives and use, as well as implementation considerations and client support information.

https://developer.chrome.com/extensions/contentSecurityPolicy and https://developer.chrome.com/apps/contentSecurityPolicy provide documentation specific to Chrome, but is targeted more towards extension/application development.

https://msdn.microsoft.com/en-us/library/dn904195%28v=vs.85%29.aspx provides limited documentation for Edge.


Can I/how do I use Content Security Policy with CloudFlare?

Yes, you can use a Content Security Policy with sites behind CloudFlare. We do not modify the Content-Security-Policy header sent by your origin.

No changes need to be made to acceptable sources for your own/other third-party content. Using CloudFlare does not affect or modify the URLs that you use to include content, and therefore will not interfere with clients’ ability to match locations specified in your policy against locations used to include resources.

If you use certain CloudFlare features, you will need to allow inline scripts in your policy. We include scripts on your domain and add some inline code when you enable Rocket Loader, CloudFlare Apps, or ScrapeShield.

If you do use any of these features, you will need to add the following to your Content Security Policy:

script-src 'self' 'unsafe-inline'

Still not finding what you need?

The CloudFlare team is here to help. 95% of questions can be answered using the search tool, but if you can’t find what you need, submit a support request.

Powered by Zendesk