Deploy content security rules in production
Follow the practices on this page when deploying or updating content security rules in a production environment. Applying rule changes without a validation period can block legitimate resources and disrupt your application for end users.
When updating content security rules in production, avoid the following:
- Do not edit an existing rule directly in production without testing first.
- Do not change a rule action from Log to Allow without a validation period.
- Do not delete all rules at once.
Instead, follow these practices:
- Test changes in a staging environment before applying them in production.
- Use the Log rule action for at least seven days before switching to Allow.
- Update one rule at a time.
- Monitor rule violations for 24 hours after each change.
- Document a rollback procedure before making changes.
Complete the following checklist before switching a content security rule from Log to Allow:
- The rule was tested in Log mode for a minimum of seven days.
- Reviewed all rule violations and confirmed there are no unexpected blocks.
- Added all legitimate third-party resources to the rule allowlist.
- Tested the application on all major browsers (Chrome, Firefox, Safari, Edge).
- Configured alerts for rule violations.
- There is a documented rollback procedure that is ready to execute.
If a rule change causes unexpected violations or blocks legitimate resources:
- Switch the rule action back to Log to stop blocking resources immediately.
- Review the rule violations to identify which resources were blocked.
- Update the rule to include any missing resources.
- Repeat the validation process before switching back to Allow (blocks resources not present in the allowlist).