All the Minerva domains to allow in your CSP
Overview
A Content Security Policy (CSP) is a security mechanism for modern browsers that can restrict capabilities on a web page in order to protect end users from a range of possible injection attacks, including cross-site scripting (XSS).
This article identifies the required CSP directives to allow full Minerva SDK functionality.
CSP requirements
The following are required if your CSP defines an allowed list of domains for a particular directive.
For example, if your CSP defines a directive of “script-src https:”, then you do not need to specify the “*.minervaknows.com” hosts because “https:” is a more generic value. Also, if your CSP defines a particular directive (e.g., connect-src), then please include the Minerva domain(s) to ensure continued SDK functionality.
child-src:
https://sdk-services.minervaknows.com
connect-src:
https://api.minervaknows.com
https://sdk.minervaknows.com
script-src:
https://sdk.minervaknows.com
https://sdk-services.minervaknows.com
style-src:
'unsafe-inline'
We aim to promote best practices for the modern web, so our goal is to support full Minerva SDK functionality with a strict CSP.
Conclusion
Adopting a CSP is a great way to add a layer of security to your web applications. If you need help with your CSP and the Minerva SDK, send us a message. We’re happy to help!
Comments
0 comments
Please sign in to leave a comment.