Client-side security FAQ

What happens to CSP HTTP headers set by the origin server when I create a content security rule?

When you create content security rules, Cloudflare will generate content security policy (CSP) directives from those rules based on their configuration:

• Log rules will create CSP directives for the Content-Security-Policy-Report-Only HTTP header.
• Allow rules will create CSP directives for the Content-Security-Policy HTTP header.

Client-side security only adds new CSP HTTP headers to the response. This means that Cloudflare will keep any Content-Security-Policy-Report-Only and Content-Security-Policy HTTP headers in the response set by the origin server and it will add separate HTTP headers for the content security rules configured on your Cloudflare zone.

It is recommended that you only have one rule in allow mode (that is, a content security rule being enforced). If there is more than one Content-Security-Policy HTTP header in the response, the most restrictive policy wins. For more information, refer to the MDN documentation ↗.

Can I add a nonce CSP directive to a content security rule?

Client-side security currently does not support nonce ↗ directives in content security rules. Instead, you can use a hash ↗ CSP directive. For details on the supported directives and values, refer to Supported CSP directives.