Note:
Custom security headers are only available to Wordpond Enterprise customers.
What is a Content Security Policy (CSP)?
A Content Security Policy (CSP) enhances a website's (or publication's) security by controlling the types of content that can be loaded into the browser.
By specifying a list of approved sources, CSP prevents the browser from loading resources from unauthorized origins, thus blocking potentially harmful content.
With CSP, you can 'whitelist' the sources from which your site's resources (like scripts, styles, fonts, and images) can load. If a resource attempts to load from a non-whitelisted origin, the browser will block it. This robust defense mechanism protects against cross-site scripting (XSS) and data injection attacks.
CSP in Wordpond
Wordpond by default implements a strong CSP. Wordpond publications block all sources by default except a select few, such as Google Fonts, Unsplash, and the like.
You will find settings to manage your CSP in your Workspace settings, under Security.
By default, Word Pond allows streaming services such as YouTube and Vimeo. If you run security tests, this may result in notifications.
You can remediate these notifications by restricting streaming service access and turning this setting to OFF. Remember that doing so will prevent any streaming service from displaying your articles.
Customizing your CSP
When you toggle 'Custom configuration,' a panel with customization options will appear.
A list of options shows you which script types you can add.
- media-src: Specifies allowed sources for loading media.
- img-src: Specifies allowed sources of images and favicons.
- font-src: Specifies valid sources for fonts.
- connect-src: Restricts the URLs that can be loaded using script interfaces.
- script-src: Specifies valid sources for JavaScript resources.
- style-src: Specifies valid sources for stylesheets.
- frame-src: Specifies valid sources for nested browsing contexts loaded into <frame> and <iframe> elements.
You can add the sources you are allowed to add to the respective field by clicking on the + icon. A field with an example will appear.
Tips on values
Only allow loading of resources from a specific host, with optional scheme, port, and path.
For example:
example.com, *.example.com, https://*.example.com:12/path/to/file.js.
Path parts in the CSP that end in / match any path they are a prefix of.
For example:
example.com/api/ will match URLs like example.com/api/users/new.
Other path parts in the CSP are matched precisely; for example:
- example.com/file.js will match:
- http://example.com/file.js and
- https://example.com/file.js,
but not https://example.com/file.js/file2.js.
Scheme
Only allowing the loading of resources over a specific scheme should always end with ":" For example, https: http: data: etc.
Note
Important: Our support and success teams cannot provide direct help with setup or troubleshooting for custom security headers for security and liability reasons. They can help advise you on how to use the platform.