CSP for Giosg services¶
If your website is using Content-Security-Policy header to ensure security for your clients, you'll need to modify it for giosg services to work.
The following domains are required to be included in CSP header:
Required CSP domains for Giosg services¶
The following CSP part makes giosg services functional on your website:
1 2 3 4 5 6
Note that if you don't have a CSP part, as
connect-src already present on your website, it will use default-src as a fallback. So, merge
default-src without exceptions AND merge those parts which are already present on your website.
Example of a CSP Header¶
To make your own CSP, you'll need to merge Giosg-recommended CSP with your own, so that you have this record (e.g. in python code):
1 2 3 4 5 6
Do not just copy the above example. It has some example domains inside and is intended only for presentation.
If you need to permit only giosg and your site resources, nothing except for that, we have a ready CSP for you.
Note that if you define some more specific *-src, you'll need to merge giosg values there also. E.g.
Giosg reserves a right to serve any type of content from any of its domains, including but not limited to scripts, images, styles and iframes, so
default-src would be anyway a good place to add giosg domains.