Cloudflare Docs
Cloudflare Fundamentals
Edit this page
Report an issue with this page
Log into the Cloudflare dashboard
Set theme to dark (⇧+D)

Content Security Policies (CSPs) and Cloudflare

A Content Security Policy (CSP) is an added layer of security that helps detect and mitigate certain types of attacks, including:

  • Content/code injection
  • Cross-site scripting (XSS)
  • Embedding malicious resources
  • Malicious iframes (clickjacking)

To learn more about configuring a CSP in general, refer to the Mozilla documentation.

​​ Using a CSP with Cloudflare

Cloudflare’s CDN is compatible with CSP.

Cloudflare does not:

If you require the CSP headers to be changed or added, you can change them using some Cloudflare products:

​​ Product requirements

To use certain Cloudflare features, however, you may need to update the headers in your CSP:

Feature(s)Updated headers
Rocket Loader, Miragescript-src 'self' ajax.cloudflare.com;
Cloudflare Apps, Scrape Shieldscript-src 'self' 'unsafe-inline'
Web Analyticsscript-src static.cloudflareinsights.com; connect-src cloudflareinsights.com
Bot productsRefer to JavaScript detections and CSPs.
Page ShieldRefer to Page Shield CSP Header format.
ZarazNo updates required ( details).
TurnstileRefer to Turnstile CSP.