Content Security Policies (CSPs) and Cloudflare
A Content Security Policy (CSP) is an added layer of security that helps detect and mitigate certain types of attacks, including:
- Content/code injection
- Cross-site scripting (XSS)
- Embedding malicious resources
- Malicious iframes (clickjacking)
To learn more about configuring a CSP in general, refer to the Mozilla documentation.
Using a CSP with Cloudflare
Cloudflare’s CDN is compatible with CSP.
Cloudflare does not:
- Modify CSP headers from the origin web server.
- Require changes to acceptable sources for first or third-party content.
- Modify URLs (besides adding the
- Interfere with locations specified in your CSP.
To use certain Cloudflare features, however, you may need to update the headers in your CSP:
|Rocket Loader, Mirage|
|Cloudflare Apps, Scrape Shield|
|Page Shield||Refer to Page Shield CSP Header format.|
|Zaraz||No updates required ( details).|
|Turnstile||Refer to Turnstile FAQ.|