1. PageUp Help
  2. Recruitment Marketing
  3. Configuration
  4. Security

Configure content security policies

Updated

Recruitment MarketingPublic

Content security policies (CSP) allow users to control what JavaScript and other content the site can call. This helps mitigate cross-site scripting (XSS) and other code injection attacks. It enables web developers to dictate the resources (such as scripts, stylesheets, and images) a browser can load for a given page. This is achieved by sending a Content-Security-Policy HTTP header, which contains directives specifying the permitted sources for various resource types.

Understanding content security policies settings

Content security policies (CSP) offer different settings to control how your site manages external resources and enhances security.

  • Disabled: No CSP rules are applied. All resources will load without restriction.
  • Report Only:
    • Browsers will report which resources would be blocked if CSP were enforced, without actually blocking anything.

    • All Recruitment Marketing production resources are automatically allowed, but third-party resources (e.g., JavaScript, images, fonts) referenced on your pages will appear in the report if they're not explicitly whitelisted.

      Warning:

      Report Only should not be left on indefinitely. Once reviewed, switch to either Disabled or Strict mode.

  • Strict: CSP is fully enforced. Any resource not whitelisted in your CSP settings will be blocked from loading.

Enabling content security policies

The Content security policies can be set and enabled in Settings. This can be done specifically for each site, such as External and Internal.

  1. From the side menu, under Company, click Settings.
  2. Under Security, click Content security policies

Here you can click to View Content Security Reports and manage your Content security policies.

content security policies settings.png

The Content security policies allow users to control what JavaScript and other content the site can call. 

If you set the CSP strategy to Report Only and take a look at the search page console, this will show what JavaScript and CSS will be refused loading if the CSP strategy is set to strict.

If you want to allow these to run, you can grab the source(s) and paste them into the CSP settings page based on the type (CSS, JavaScript, etc.) to configure the settings.

To avoid CSP restrictions, move inline scripts into the theme. For example, moving some JavaScript to the theme, with the jQuery dependency removed.

Example scenario

Scenario: Allowing JavaScript and Image CDNs in a Strict CSP Setup

If your site loads JavaScript or images from third-party CDNs, and you want to restrict access to only those trusted sources, you’ll need to configure your CSP policy accordingly. When using a Strict CSP strategy, you'll explicitly define which CDNs are allowed.

For example, your site might load:

  • JavaScript libraries from jsDelivr and unpkg
  • Images from Unsplash

Paste this in the Script sources field:

https://cdn.jsdelivr.net https://unpkg.com

This allows JavaScript to be loaded from those CDNs.

In the Image sources field, paste:

https://images.unsplash.com

This allows images hosted by Unsplash.

Comments

0 comments

Article is closed for comments.

Table of contents

Articles in this section

See more