Content Security Policies (CSPs) and Cloudflare
A Content Security Policy (CSP) is an added layer of security that helps detect and mitigate certain types of attacks, including:
- Content/code injection
- Cross-site scripting (XSS)
- Embedding malicious resources
- Malicious iframes (clickjacking)
To learn more about configuring a CSP in general, refer to the Mozilla documentation.
Using a CSP with Cloudflare
Cloudflare’s CDN is compatible with CSP.
Cloudflare does not:
- Modify CSP headers from the origin web server (except when using Zaraz, to ensure the Zaraz script is always running).
- Require changes to acceptable sources for first or third-party content.
- Modify URLs (besides adding the
/cdn-cgi/
endpoint and Cloudflare Fonts that rewrites Google Fonts urls). - Interfere with locations specified in your CSP.
Product requirements
To use certain Cloudflare features, however, you may need to update the headers in your CSP:
Feature(s) | Updated headers |
---|---|
Rocket Loader, Mirage | script-src 'self' ajax.cloudflare.com; |
Cloudflare Apps, Scrape Shield | script-src 'self' 'unsafe-inline' |
Web Analytics | script-src static.cloudflareinsights.com; connect-src cloudflareinsights.com |
Bot products | Refer to JavaScript detections and CSPs. |
Page Shield | Refer to Page Shield CSP Header format. |
Zaraz | No updates required ( details). |
Turnstile | Refer to Turnstile CSP. |