Content security policy (CSP)

Content-Security-Policy (CSP) is a security mechanism that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. With CSP, you’re able to declare which sources of content your web app trusts.

We recommend you enable CSP in your application.

Our components can be run with the following CSP configuration:

Content-Security-Policy: default-src 'self'; style-src 'self'; font-src data:;

Where self refers to the location where the assets are loaded from. Replace self with your CDN URL when you serve assets from a different domain than your website content.

Note that the code editor component requires a special CSP configuration. See our code editor development guidelines for more details.

The global styles package  includes the Open Sans font in your application. The font-src is needed to ensure that fonts are loaded along with the rest of the CSS files, to avoid font display issues . Note that Open Sans font files are available in our global styles.

Including font-src data:; does not harm security. Custom fonts can only be declared in CSS, which is already covered by the more strict style-src 'self'; directive.