Skip to content

Content Security Policies (CSPs)

A Content Security Policy (CSP) is an added layer of security that helps detect and mitigate certain types of attacks, including:

  • Content/code injection
  • Cross-site scripting (XSS)
  • Embedding malicious resources
  • Malicious iframes (clickjacking)

To learn more about configuring a CSP in general, refer to the Mozilla documentation.

Using a CSP with Cloudflare

Cloudflare’s CDN is compatible with CSP.

Cloudflare does not:

  • Modify CSP headers from the origin web server (except when using Zaraz, to ensure the Zaraz script is always running).
  • Require changes to acceptable sources for first or third-party content.
  • Modify URLs (besides adding the /cdn-cgi/ endpoint and Cloudflare Fonts that rewrites Google Fonts urls).
  • Interfere with locations specified in your CSP.

If you require the CSP headers to be changed or added, you can change them using some Cloudflare products:

Product requirements

To use certain Cloudflare features, however, you may need to update the headers in your CSP:

Feature(s)Updated headers
Rocket Loader, Miragescript-src 'self' ajax.cloudflare.com;
Cloudflare Apps, Scrape Shieldscript-src 'self' 'unsafe-inline'
Web Analyticsscript-src static.cloudflareinsights.com; connect-src cloudflareinsights.com
Bot productsRefer to JavaScript detections and CSPs.
Page ShieldRefer to Page Shield CSP Header format.
ZarazNo updates required (details).
TurnstileRefer to Turnstile CSP.