Adjusting your CSP
You may need to adjust your Content Security Policy (CSP) settings to allow the cside script to function correctly.
Learn how to configure Content Security Policy reporting with cside's reporting endpoint. CSP reporting is available across all cside subscription tiers.
Service Limits
| Plan | Retention Period | Event Capacity |
|---|---|---|
| Free | 30 days | 500,000 events |
| Business | 90 days | 2,000,000 events |
| Enterprise | 90 days in dashboard 365 cold storage | Unlimited events |
Implementation Guide
Step 1: Configure CSP Headers
Content Security Policy uses directives to control resource loading and execution. For a comprehensive list of available directives, refer to the Mozilla Developer Documentation.
Deployment Modes
CSP supports two operational modes:
- Report-Only Mode: Monitors violations without enforcement
- Enforcement Mode: Actively blocks policy violations
Best Practice: Implement CSP through HTTP response headers rather than HTML meta tags for enhanced security.
Implementation Recommendations
- Begin with Report-Only mode for impact assessment
- Implement essential directives first:
script-src: Control JavaScript source originsimage-src: Manage image loading sourcesfont-src: Restrict font loading sources
- Use
script-src 'self'as a baseline security measure
Note: Automated CSP configuration tooling is scheduled for release in Q3 2025.
Step 2: Configure Reporting Endpoint
Each cside customer can receive a customer endpoint so please navigate to the CSP reports section of the dashboard to view the CSP reporting endpoint assigned to your account.
Best Practices and Considerations
cside Compatibility
When CSP Changes Are Not Required
In most cases, no CSP adjustments are needed for the cside monitoring script to work. If your Content Security Policy uses broad directives that allow HTTPS sources, cside will work out of the box.
For example, if your CSP looks like this:
Content-Security-Policy: default-src https: data: 'unsafe-inline' 'unsafe-eval'The cside script will load without any issues because it is served over HTTPS from proxy.csidetm.com. A CSP that allows scripts from any HTTPS origin will automatically permit cside.
When CSP Changes Are Required
You only need to update your CSP if you have explicit script-src or connect-src directives that restrict which domains can load scripts or make network requests.
If your CSP includes specific script-src or connect-src directives, add proxy.csidetm.com to those directives:
Content-Security-Policy: script-src 'self' proxy.csidetm.com; connect-src 'self' proxy.csidetm.comYou only need to update directives you already use. If you don't have script-src or connect-src in your CSP, no changes are needed for those directives.
Add these to your existing CSP settings without removing your current policies. As part of your cside plan, you can also direct CSP violations to our dashboard for monitoring.
Environment Management
CSP implementation often varies between development and production environments. Maintain consistent CSP configurations across all environments to prevent deployment issues and security gaps.
Policy Design Strategy
Balance your CSP implementation between:
- Strict Policies: Enhanced security through specific rules, but requires more maintenance
- Permissive Policies: Easier maintenance but may introduce security vulnerabilities
cside's monitoring capabilities enable you to implement broader rules while maintaining security through comprehensive violation reporting and analysis.
Known Challenges
The connect-src directive requires careful consideration due to dynamic client-side dependencies. When implementing this directive...
How is this doc?