Cloudscape Design System
  • Get started
  • Foundation
  • Components
  • Patterns
  • Demos
  • GitHub 
Cloudscape Design System
  • Get started
  • Foundation
  • Components
  • Patterns
  • Demos
  • GitHub 
  • About

Get started


  • Guides

    • Get started for designers
    • Get started for developers

  • Resources

    • Design resources

  • Integration

    • Using Cloudscape components
    • Global styles

  • Development guides

    • Collection hooks package
    • Content security policy (CSP)
    • Responsive development
    • State management
    • Z-index
    • Built-in internationalization
    • Bidirectionality

  • Testing

    • Introduction to testing
    • Testing frameworks integration
    • Testing core classes
  1. Cloudscape Design System
    • Get started
    • Development guides: Content security policy (CSP)
    1. Cloudscape Design System
    2. Get started
    3. Development guides: Content security policy (CSP)

    Content security policy (CSP)

    Learn how to configure the CSP of your page with Cloudscape.

    Published: August 6, 2021

    On this page

    1. What is CSP?
    2. CSP configuration
    3. Why is the font-src needed?

    Did this page help you?

    Tell us more - optional

    1000 character(s) available. Do not disclose any personal, commercially sensitive, or confidential information.

    What is CSP?

    Content-Security-Policy (CSP) is a security mechanism that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. With CSP, you’re able to declare which sources of content your web app trusts.

    We recommend you enable CSP in your application.

    CSP configuration

    Our components can be run with the following CSP configuration:

    Content-Security-Policy: default-src 'self'; style-src 'self'; font-src data:;

    Where self refers to the location where the assets are loaded from. Replace self with your CDN URL when you serve assets from a different domain than your website content.

    Note that the code editor component requires a special CSP configuration. See our code editor development guidelines for more details.

    Why is the font-src needed?

    The global styles package  includes the Open Sans font in your application. The font-src is needed to ensure that fonts are loaded along with the rest of the CSS files, to avoid font display issues . Note that Open Sans font files are available in our global styles.

    Including font-src data:; does not harm security. Custom fonts can only be declared in CSS, which is already covered by the more strict style-src 'self'; directive.

    Did this page help you?

    Tell us more - optional

    1000 character(s) available. Do not disclose any personal, commercially sensitive, or confidential information.
    • About
    • Connect
    • Privacy 
    • Site terms 
    • © 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Made with love atAWS