Using Featurebase with Content Security Policy

Learn how to make Featurebase work with CSP.

RR

Written By Robi Rohumaa

Last updated 4 months ago

Content Security Policy (CSP) is a security mechanism that helps protect against content injection attacks, such as Cross-Site Scripting (XSS).

Featurebase fully supports Google’s strict CSPv3:

Content-Security-Policy:
  object-src 'none';
  script-src 'nonce-{random}' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:;
  base-uri 'none';

If your website already uses this policy, you don't need to change anything.

If you prefer to use source allow-listing (for instance, if you can't utilize CSPv2 or v3 features), here are the relevant directives you'll need:

script-src: 
  https://do.featurebase.app

If you're using other CSP directives, make sure to include the following entries for Featurebase to work properly:

connect-src:
  https://*.featurebase.app

font-src:
  https://fonts.gstatic.com

style-src:
  https://fonts.googleapis.com https://do.featurebase.app

frame-src:
  https://*.featurebase.app