Content security rules

Note

Only available to Enterprise customers with a paid add-on.

Content security rules (previously known as policies) define the resources allowed on your applications through Content Security Policy (CSP) directives. These rules can log violations and also enforce an allowlist of resources, effectively blocking resources not included in the policies. These two types of content security rules are called log rules and allow rules, respectively.

In the new security dashboard, content security rules are one of the available types of security rules. Security rules perform security-related actions on incoming requests that match specified filters.

Create allow rules to define a positive security model, also known as positive blocking. According to this model, you define what is allowed and reject everything else. Such an approach helps you reduce the attack surface for unwanted third-party scripts in your application.

A content security rule can control both client-side resources monitored by Cloudflare, such as scripts and their connections, and other types of resources. Refer to Supported CSP directives for details.

Important remarks

Third-party service providers may require specific CSP directives. Refer to your provider's documentation for more information on the CSP directives you need to include in your rule.

Rule actions

A content security rule can perform one of the following actions:

• Log: Cloudflare will log any resources not covered by the rule, without blocking any resources. Use this action to validate a new content security rule before deploying it. Resources not covered by the rule will be reported as rule violations.
• Allow: Cloudflare will block any resources not explicitly allowed by the content security rule. Switch to the Allow action after validating a new rule with the Log action, so that your content security rule does not block essential application resources, which would affect your application's end users. Rules with the Allow action will log rule violations for any blocked resources.

For details on the CSP directives Cloudflare creates for each type of rule action, refer to How client-side security works. For more information on the CSP directives supported by content security rules, refer to Supported CSP directives.

Next steps

Refer to the following pages for instructions on creating a content security rule:

• Create a content security rule in the dashboard
• Client-side security API: Create a content security rule

Shortly after you configure content security rules, the Cloudflare dashboard will start displaying any violations of those rules.

You can filter client-side security alert notifications according to the content security rules you configured in a zone. These alerts are called scoped alerts.