Content Security Policy
Control resources the user agent is allowed to load.
After Dark helps you secure your site using Content Security Policy (CSP). Basic CSP is enabled by default and Advanced Configurations are also possible.
Basic CSP offers minimal protection but is still helpful as it keeps resources from accidentally being loaded over
http. In addition, Basic CSP automatically blocks all Flash and Silverlight objects before they have a chance to load.
Disable CSP site-wide add the following to your site config:
[params] disable_csp = true # disable site-wide
Disable CSP for a specific page using front matter:
disable_csp = true # disable for page
Advanced configuration allows you to fine-tune policy directives based on your specific needs. To get started specify at least 1 CSP directive in site config.
Note: You may wish to Disable LiveReload while defining advanced config.
Define the script-src directive site-wide:
[params.security.csp.directives] scriptSrc = [ "'self'", "'unsafe-inline'", "https:", "'sha512-Jx/MqTxYWqHdoOkHItRJJZCvFDhERPr5gG4I5ESu3V+BgQyAQ6wXfdsGzhzmT0yyvkAWz2jbrn81q90RRJTSTg=='", "'sha512-hno7WeTIciCJSjg/myjyK30HYkrcGCVwo4g4SpUalvrs3r2lS7bPNIQwbCNypKbg7BZ1sA4AsGnk6Gq4NOKpGA=='", "'sha512-ISTAV0GadOIz/NXXHOS&+eCM0ysXVVHhQTlvA6LJxz/DeA5yIxm0Vqf5IE&+WH0yuuXkayAKtoZkQ326nch5f/fg=='", "'strict-dynamic'" ]
This will override the
script-src directive’s advanced default:
Once set, view the
Content-Security-Policy meta tag in the
head of your page and inspect the console for errors as you navigate to different pages. Each time you encounter an error caused by CSP is an opportunity to improve your policy.
Add page-specific directives from page front matter using the same structure and naming conventions used in site config to append items for that page:
[security.csp.directives] scriptSrc = [ "'sha512-TKVuLlCT8+a0Chpa6Pw3clhu9fhZ9JOzgblgxQaUQVP/z4lfPnrdyWDOgucORnS2qapWu/iPVG2d0ywyGH2NjA=='" ]
Continue overriding advanced defaults as necessary until all CSP errors are resolved or you’re satisfied with the changes.
- About Content Security Policy
- Test policy with Observatory by Mozilla
- See CSP examples to learn more