Content security policy headers
Content-Security-Policy provides added security by restricting how and where content can be loaded on your website. This reference article covers which content security policy headers are needed with the Web SDK.
This article is intended for developers working on websites that enforce CSP rules and integrate with Braze. It is not intended as advice on how you should approach security.
This guide uses code samples from the Braze Web SDK 4.0.0+. To upgrade to the latest Web SDK version, see SDK Upgrade Guide.
Nonce attributes
If you use a nonce
value in your script-src
or style-src
directives, pass that value to the contentSecurityNonce
initialization option to propagate it to newly created scripts and styles generated by the SDK:
1
2
3
4
5
6
import * as braze from "@braze/web-sdk";
braze.initialize(apiKey, {
baseUrl: baseUrl,
contentSecurityNonce: "YOUR-NONCE-HERE", // assumes a "nonce-YOUR-NONCE-HERE" CSP value
});
Directives
connect-src
URL | Information |
---|---|
connect-src https://sdk.iad-01.braze.com |
Allows the SDK to communicate with Braze APIs. Change this URL to match the API SDK endpoint for your chosen baseUrl initialization option. |
script-src
URL | Information |
---|---|
script-src https://js.appboycdn.com |
Required when using the CDN-hosted integration. |
script-src 'unsafe-eval' |
Required when using the integration snippet which contains reference to appboyQueue . To avoid using this directive, integrate the SDK using NPM instead. |
script-src 'nonce-...' or script-src 'unsafe-inline' |
Required for certain in-app messages, such as custom HTML. |
img-src
URL | Information |
---|---|
img-src: appboy-images.com braze-images.com cdn.braze.eu |
Required when using Braze CDN-hosted images. Hostnames may vary based on dashboard cluster. Important: If you’re using custom fonts, you also need to include font-src . |
Font Awesome
To disable the automatic inclusion of Font Awesome, use the doNotLoadFontAwesome
initialization option:
1
2
3
4
5
6
import * as braze from "@braze/web-sdk";
braze.initialize(apiKey, {
baseUrl: baseUrl,
doNotLoadFontAwesome: true,
});
If you choose to use Font Awesome, the following CSP directives are required:
font-src https://use.fontawesome.com
style-src https://use.fontawesome.com
style-src 'nonce-...'
orstyle-src 'unsafe-inline'