Content security policy headers

Content-Security-Policy provides added security by restricting how and where content can be loaded on your website. This reference article covers which content security policy headers are needed with the Web SDK.

important:

This article is intended for developers working on websites that enforce CSP rules and integrate with Braze. It is not intended as advice on how you should approach security.

note:

This guide uses code samples from the Braze Web SDK 4.0.0+. To upgrade to the latest Web SDK version, see SDK Upgrade Guide.

Nonce attributes

If you use a nonce value in your script-src or style-src directives, pass that value to the contentSecurityNonce initialization option to propagate it to newly created scripts and styles generated by the SDK:

import * as braze from "@braze/web-sdk";

braze.initialize(apiKey, {
  baseUrl: baseUrl,
  contentSecurityNonce: "YOUR-NONCE-HERE", // assumes a "nonce-YOUR-NONCE-HERE" CSP value
});

Directives

`connect-src`

warning:

Your URL must match the API SDK endpoint of your chosen baseUrl initialization option.

URL Information

connect-src https://sdk.iad-01.braze.com Allows the SDK to communicate with Braze APIs. Change this URL to match the API SDK endpoint for your chosen baseUrl initialization option.

`script-src`

URL Information

script-src https://js.appboycdn.com Required when using the CDN-hosted integration.

script-src 'unsafe-eval' Required when using the integration snippet which contains reference to appboyQueue. To avoid using this directive, integrate the SDK using NPM instead.

script-src 'nonce-...'
or
script-src 'unsafe-inline' Required for certain in-app messages, such as custom HTML.

`img-src`

URL Information

img-src: appboy-images.com braze-images.com cdn.braze.eu Required when using Braze CDN-hosted images. Hostnames may vary based on dashboard cluster.

Important: If you’re using custom fonts, you also need to include font-src.

Font Awesome

To disable the automatic inclusion of Font Awesome, use the doNotLoadFontAwesome initialization option:

import * as braze from "@braze/web-sdk";

braze.initialize(apiKey, {
  baseUrl: baseUrl,
  doNotLoadFontAwesome: true,
});

If you choose to use Font Awesome, the following CSP directives are required:

font-src https://use.fontawesome.com
style-src https://use.fontawesome.com
style-src 'nonce-...' or style-src 'unsafe-inline'

Edit this page on GitHub

HOW HELPFUL WAS THIS PAGE?

Edit this page on GitHub

New Stuff!