What is a content security policy (CSP)?
In short, Content Security Policy (CSP) is an added layer of security on your website that helps to detect and mitigate certain types of malicious activity, including Cross-Site Scripting (XSS) and data injection attacks.
These attacks are frequently used for data theft, site defacement, and malware distribution.
A CSP is a policy that restricts what content loads onto your website. It is a widely-supported security standard recommended to anyone who operates a website.
Only make changes to this section of Easy Eatery's control panel if you are comfortable working with content security policies. Only add what you need; a more relaxed CSP opens your site up to unnecessary risk.
Easy Eatery and CSP
Enforcing a solid content security policy can improve the security of any website. Easy Eatery implements a strict CSP by default but allows a select number of trusted and popular third-party domains by default.
Our CSP editor allows you to white-list additional third-party domains for various directives, permitting specific actions from domains you trust.
Supported directives
At the time of writing, Easy Eatery permits additions to the following CSP directives:
Directive | Description |
---|---|
script-src | Defines authorised sources for client-side scripting, such as JavaScript |
connect-src | Policy applies to connections from a XMLHttpRequest (AJAX) or a WebSocket |
frame-src | Defines authorised sources for loading frames (iframe or frame) |
img-src | Defines authorised sources for images, or link element related to an image type (ex: rel=”icon”) |
media-src | Defines authorised sources for media elements (ex: , ) |
style-src | Defines authorised sources for cascading style sheets (CSS) |
font-src | Defines authorised sources where fonts files can be loaded from |
default-src | The default policy, used in any case (JavaScript, Fonts, CSS, Frames etc.) except if overridden by a more precise directive. |
Domains supported by default:
Directive | Domains |
---|---|
script-src | self connect.facebook.net *.mapbox.com *.google-analytics.com *.googletagmanager.com *.google.com *.twitter.com *.gstatic.com |
connect-src | self *.google-analytics.com *.googletagmanager.com *.google.com *.mapbox.com |
frame-src | self *.google.com *.youtube.com *.vimeo.com *.twitter.com |
img-src | self *.facebook.com *.google-analytics.com *.mapbox.com |
media-src | self |
style-src | self 'unsafe-inline' fonts.gstatic.com fonts.googleapis.com *.mapbox.com |
font-src | self ik.imagekit.io fonts.gstatic.com fonts.googleapis.com |
default-src | none |
Notes:
- We allow 'unsafe-inline' within 'style-src' to support inline styling on our websites. Although not a best-practice, we understand that there is sometimes the need for inline styling.
- We do not permit embedding Easy Eatery websites within an iframe; to help prevent cross-frame scripting attacks.