Back to Support

How to configure your CSP

Published 04 Nov 2020 by Ellice Eadie, CANDDi
Read this in about 1 minute

Firstly, if you’re wondering what on earth a CSP is? It’s short for Content Security Policy.

A Content Security Policy (or CSP) is an extra layer of browser security. It allows a web server to specify which sources of code it trusts when responding to a web browser, which protects mainly against XSS attacks. This means that even if you clicked on a phishing link, the CSP would stop the browser from loading the page. Clever.

Having a CSP can protect you from data theft, vulnerability to malware, and your own site being infected with malware.

If you want to learn more about CSPs and how to use them, go here!

How to use CANDDi with a CSP

If you already have your own CSP in place, you should add the below values into your own script-src / img-src directives:

script-src https://* https://*; img-src https://* https://*;

If you’re starting fresh and don’t already have a CSP, then a good starting point would look something like this:

script-src 'self' 'unsafe-inline' 'unsafe-eval' https://* 
https://* https://*; img-src 'self' 
https://* https://*;

This allows both CANDDi and your own to be trusted sources of code, and will not stop your browser from loading the page.

NOTE: The above ‘https://*’ source is only required if you’re using Google Tag Manager to load CANDDi Tracking. If you’re not using Google Tag Manager, then you can remove this, but you don’t have to – it just won’t do anything!

Have more questions? Contact us at