How to Configure your Content Security Policy (CSP) for CANDDi
What is a Content Security Policy?
A Content Security Policy (or CSP) is an extra layer of browser security. It allows a web server to specify which sources of code it trusts when responding to a web browser, which protects mainly against XSS attacks. This means that even if you clicked on a phishing link, the CSP would stop the browser from loading the page.
Having a CSP can protect you from data theft, vulnerability to malware, and your own site being infected with malware.
If you want to learn more about CSPs and how to use them, go here!
How to use CANDDi with a CSP
If you already have your own CSP in place, you should add the below values into your own script-src / img-src directives:
script-src https://*.canddi.io https://*.canddi.com; img-src https://*.canddi.io https://*.canddi.com;
If you’re starting fresh and don’t already have a CSP, then a good starting point would look something like this:
script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.canddi.io https://*.googletagmanager.com https://*.canddi.com; img-src 'self' https://*.canddi.io https://*.canddi.com;
This allows both CANDDi and your own to be trusted sources of code, and will not stop your browser from loading the page.
NOTE: The above 'https://*.googletagmanager.com' source is only required if you're using Google Tag Manager to load CANDDi Tracking. If you’re not using Google Tag Manager, then you can remove this, but you don’t have to -- it just won’t do anything!
Have more questions? Contact us at hello@canddi.com or 0161 414 1080
A Content Security Policy (or CSP) is an extra layer of browser security. It allows a web server to specify which sources of code it trusts when responding to a web browser, which protects mainly against XSS attacks. This means that even if you clicked on a phishing link, the CSP would stop the browser from loading the page.
Having a CSP can protect you from data theft, vulnerability to malware, and your own site being infected with malware.
If you want to learn more about CSPs and how to use them, go here!
How to use CANDDi with a CSP
If you already have your own CSP in place, you should add the below values into your own script-src / img-src directives:
script-src https://*.canddi.io https://*.canddi.com; img-src https://*.canddi.io https://*.canddi.com;
If you’re starting fresh and don’t already have a CSP, then a good starting point would look something like this:
script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.canddi.io https://*.googletagmanager.com https://*.canddi.com; img-src 'self' https://*.canddi.io https://*.canddi.com;
This allows both CANDDi and your own to be trusted sources of code, and will not stop your browser from loading the page.
NOTE: The above 'https://*.googletagmanager.com' source is only required if you're using Google Tag Manager to load CANDDi Tracking. If you’re not using Google Tag Manager, then you can remove this, but you don’t have to -- it just won’t do anything!
Have more questions? Contact us at hello@canddi.com or 0161 414 1080
Updated on: 04/02/2020
Thank you!