Cloudflare Docs
Cloudflare Fundamentals
Visit Cloudflare Fundamentals on GitHub
Set theme to dark (⇧+D)

Content Security Policies (CSPs) and Cloudflare

A Content Security Policy (CSP) is an added layer of security that helps detect and mitigate certain types of attacks, including:

  • Content/code injection
  • Cross-site scripting (XSS)
  • Embedding malicious resources
  • Malicious iframes (clickjacking)

To learn more about configuring a CSP in general, refer to the Mozilla documentation.

​​ Using a CSP with Cloudflare

Cloudflare’s CDN is compatible with CSP.

Cloudflare does not:

  • Modify CSP headers from the origin web server.
  • Require changes to acceptable sources for first or third-party content.
  • Modify URLs (besides adding the /cdn-cgi/ endpoint).
  • Interfere with locations specified in your CSP.

​​ Product requirements

To use certain Cloudflare features, however, you may need to update the headers in your CSP:

Feature(s)Updated headers
Rocket Loader, Miragescript-src 'self' ajax.cloudflare.com;
Cloudflare Apps, Scrape Shieldscript-src 'self' 'unsafe-inline'
Web Analyticsscript-src static.cloudflareinsights.com; connect-src cloudflareinsights.com
Bot productsRefer to JavaScript detections and CSPs.
Page ShieldRefer to Page Shield CSP Header format.
ZarazNo updates required ( details).
TurnstileRefer to Turnstile FAQ.