Subscribe for updates

What is a content security policy (CSP)?

In short, Content Security Policy (CSP) is an added layer of security on your website that helps to detect and mitigate certain types of malicious activity, including Cross-Site Scripting (XSS) and data injection attacks.

These attacks are frequently used for data theft, site defacement, and malware distribution.

A CSP is a policy that restricts what content loads onto your website. It is a widely-supported security standard recommended to anyone who operates a website.

For advanced users only.

Only make changes to this section of Easy Eatery's control panel if you are comfortable working with content security policies. Only add what you need; a more relaxed CSP opens your site up to unnecessary risk.

Easy Eatery and CSP

Enforcing a solid content security policy can improve the security of any website. Easy Eatery implements a strict CSP by default but allows a select number of trusted and popular third-party domains by default.

Our CSP editor allows you to white-list additional third-party domains for various directives, permitting specific actions from domains you trust.

Supported directives

At the time of writing, Easy Eatery permits additions to the following CSP directives:

Directive Description
script-src

Defines authorised sources for client-side scripting, such as JavaScript

connect-src

Policy applies to connections from a XMLHttpRequest (AJAX) or a WebSocket

frame-src

Defines authorised sources for loading frames (iframe or frame)

img-src

Defines authorised sources for images, or link element related to an image type (ex: rel=”icon”)

media-src

Defines authorised sources for media elements (ex: , )

style-src

Defines authorised sources for cascading style sheets (CSS)

font-src

Defines authorised sources where fonts files can be loaded from

default-src

The default policy, used in any case (JavaScript, Fonts, CSS, Frames etc.) except if overridden by a more precise directive.

Domains supported by default:

Directive Domains
script-src

self

connect.facebook.net

*.mapbox.com

*.google-analytics.com

*.googletagmanager.com

*.google.com

*.twitter.com

*.gstatic.com

connect-src

self

*.google-analytics.com

*.googletagmanager.com

*.google.com

*.mapbox.com

frame-src

self

*.google.com

*.youtube.com

*.vimeo.com

*.twitter.com

img-src

self

*.facebook.com

*.google-analytics.com

*.mapbox.com

media-src

self

style-src

self

'unsafe-inline'

fonts.gstatic.com

fonts.googleapis.com

*.mapbox.com

font-src

self

ik.imagekit.io

fonts.gstatic.com

fonts.googleapis.com

default-src

none

Notes:

  • We allow 'unsafe-inline' within 'style-src' to support inline styling on our websites. Although not a best-practice, we understand that there is sometimes the need for inline styling.
  • We do not permit embedding Easy Eatery websites within an iframe; to help prevent cross-frame scripting attacks.

Still can't find what you're looking for?

Contact support
Search our knowledge base