Content Security Policies (CSPs) and Cloudflare
A Content Security Policy (CSP) is an added layer of security that helps detect and mitigate certain types of attacks, including:
- Content/code injection
- Cross-site scripting (XSS)
- Embedding malicious resources
- Malicious iframes (clickjacking)
To learn more about configuring a CSP in general, refer to the Mozilla documentation.
Using a CSP with Cloudflare
Cloudflare’s CDN is compatible with CSP.
Cloudflare does not:
- Modify CSP headers from the origin web server (except when using Zaraz, to ensure the Zaraz script is always running).
- Require changes to acceptable sources for first or third-party content.
- Modify URLs (besides adding the
/cdn-cgi/endpoint and Cloudflare Fonts that rewrites Google Fonts urls). - Interfere with locations specified in your CSP.
If you require the CSP headers to be changed or added, you can change them using some Cloudflare products:
- If your website is proxied through Cloudflare, you can use a Response Header Modification rule to modify or add CSP headers.
- If your website is hosted using Cloudflare Pages, you can set a
_headers fileto modify or add CSP headers.
Product requirements
To use certain Cloudflare features, however, you may need to update the headers in your CSP:
| Feature(s) | Updated headers |
|---|---|
| Rocket Loader, Mirage | script-src 'self' ajax.cloudflare.com; |
| Cloudflare Apps, Scrape Shield | script-src 'self' 'unsafe-inline' |
| Web Analytics | script-src static.cloudflareinsights.com; connect-src cloudflareinsights.com |
| Bot products | Refer to JavaScript detections and CSPs. |
| Page Shield | Refer to Page Shield CSP Header format. |
| Zaraz | No updates required ( details). |
| Turnstile | Refer to Turnstile CSP. |