Content-Security-Policy
HTTP response header to any site through CloudFlare.The easiest way to add a Content-Security-Policy
(CSP) response header to your CloudFlare site is to create a Modify Response Header rule, under Transform Rules. From the CloudFlare Dashboard:
Content-Security-Policy
or Content-Security-Policy-Report-Only if you don't want to block anything yet.default-src 'self'
, which will allow only scripts, images, etc from the same origin.In the above example we are simply setting a policy:
default-src 'self';
Chances are you will need something more involved than that
If you're not sure what default-src 'self';
means, then check out the Content Security Policy reference for details.
If you are using CloudFlare Pages another way to add a HTTP response header is to place a file named _headers
in the publish directory of your site. The syntax for that file might look like this:
/* Content-Security-Policy: default-src 'self';
You can create different polices for different URI paths using the _headers
file if you want to as well.
If You have CloudFlare Analytics enabled for your site you will need to make sure you allow their script to load. The script that is injected looks something like this:
<script defer src="https://static.cloudflareinsights.com/beacon.min.js/v123" integrity="sha512-yadayada" data-cf-beacon='{"rayId":"1","r":1,"version":"2023.10.0","token":"2"}' crossorigin="anonymous"></script>
Then you would need a policy like this:
default-src 'self';script-src 'self' static.cloudflareinsights.com
Note that cloudflare will also post an XHR request to /cdn-cgi/rum
under your same domain, this is covered by our default-src 'self'
policy
connect-src 'self'
or similar policy.
Want to learn the ins and outs CSP? Grab a copy of the CSP Developer Field Guide. It's a short and sweet guide to help developers get up to speed quickly.
Grab a CopyAdvisory Week is a weekly roundup of all the security advisories published by the major software vendors.