Content Security Policy (CSP)

Basics

Content Security Policy (CSP) is a security feature that helps prevent a wide range of attacks, including Cross-Site Scripting (XSS) and data injection attacks. It does this by allowing you to create a whitelist of sources of trusted content and instructing the browser to only execute or render resources from those sources. Read more and have a look at some good examples.

You can set your Content Security Policy header configuration in the dashboard of a site, under the "Technical" tab in your site settings. You can provide the complete CSP header that will be present on each response from Plate for your site. For example: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self'

You can also use the Content-Security-Policy-Report-Only header that can help you to debug your header configuration.

CSP settings are specific to each site and do not sync automatically from the theme to each child site.

Nonces

One of the features of CSP is securing inline scripts by using a nonce. These nonces have to be generated per request, so these cannot be statically saved in the site settings. Instead, you can use the[nonce] placeholder, which will be replaced with a request-specific nonce to enhance security further. For example default-src *; script-src 'nonce-[nonce]' will be rendered to a default-src *; script-src 'nonce-Rand)mNonCe' CSP Header.

The same nonce can be accessed from within Liquid, and can be used for example to provide a nonce on user-injected scripts.

Note that these settings are specific to a site, and not synced automatically from the theme to each child site.