- 22 Nov 2023
- 1 Minute to read
Content Security Policy (CSP) Directives
- Updated on 22 Nov 2023
- 1 Minute to read
Content Security Policy (CSP) is an HTTP response header that provides an additional security layer on your website. CSP helps browsers detect and block various attacks such as cross-site scripting (XSS), clickjacking, client-side attacks, etc. that may attempt to inject malicious content into your web pages.
Browsers check your website’s content security policies to maintain a secure visit for your users. If they detect any application or resource (e.g. JavaScript, CSS, etc.) in your website that the browser loads but is not in your CSP, they restrict it and prevent it from loading.
For this reason, if you have enabled the CSP header on your website, you may need to add the following directives to your CSP header to allow the Insider tag.
http-equiv="Content-Security-Policy"
content="
connect-src 'self' https://*.useinsider.com https://*.api.useinsider.com wss://*.useinsider.com;
font-src 'self' 'unsafe-eval' 'unsafe-inline' *.useinsider.com *.api.useinsider.com;
frame-src 'self' 'unsafe-eval' 'unsafe-inline' blob: *.useinsider.com *.api.useinsider.com;
img-src 'self' 'unsafe-eval' 'unsafe-inline' *.useinsider.com *.api.useinsider.com;
style-src 'self' 'unsafe-eval' 'unsafe-inline' *.useinsider.com *.api.useinsider.com;
script-src 'self' 'unsafe-eval' 'unsafe-inline' *.useinsider.com *.api.useinsider.com;
script-src-elem 'self' 'unsafe-eval' 'unsafe-inline' *.useinsider.com *.api.useinsider.com;
worker-src 'self' 'unsafe-eval' 'unsafe-inline' *.useinsider.com *.api.useinsider.com;
object-src 'self' 'unsafe-eval' 'unsafe-inline' *.useinsider.com *.api.useinsider.com;
"