Learn how to make Featurebase work with CSP.
RR
Written By Robi Rohumaa
Last updated 4 months ago
Content Security Policy (CSP) is a security mechanism that helps protect against content injection attacks, such as Cross-Site Scripting (XSS).
Featurebase fully supports Google’s strict CSPv3:
Content-Security-Policy:
object-src 'none';
script-src 'nonce-{random}' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:;
base-uri 'none';
If your website already uses this policy, you don't need to change anything.
If you prefer to use source allow-listing (for instance, if you can't utilize CSPv2 or v3 features), here are the relevant directives you'll need:
script-src:
https://do.featurebase.app
If you're using other CSP directives, make sure to include the following entries for Featurebase to work properly:
connect-src:
https://*.featurebase.app
font-src:
https://fonts.gstatic.com
style-src:
https://fonts.googleapis.com https://do.featurebase.app
frame-src:
https://*.featurebase.app