Adding cside to your Content Security Policy (CSP)

Learn how to configure your Content Security Policy to work with cside.

When CSP Changes Are Not Required

In most cases, no CSP adjustments are needed for the cside monitoring script to work. If your Content Security Policy uses broad directives that allow HTTPS sources, cside will work out of the box.

For example, if your CSP looks like this:

Content-Security-Policy: default-src https: data: 'unsafe-inline' 'unsafe-eval'

The cside script will load without any issues because it is served over HTTPS from proxy.csidetm.com. A CSP that allows scripts from any HTTPS origin will automatically permit cside.

When CSP Changes Are Required

You only need to update your CSP if you have explicit script-src or connect-src directives that restrict which domains can load scripts or make network requests.

If your CSP includes specific script-src or connect-src directives, add proxy.csidetm.com to those directives:

Content-Security-Policy: script-src 'self' proxy.csidetm.com; connect-src 'self' proxy.csidetm.com

You only need to update directives you already use. If you don't have script-src or connect-src in your CSP, no changes are needed for those directives.

Add these to your existing CSP settings without removing your current policies. As part of your cside plan, you can also direct CSP violations to our dashboard for monitoring.

For more information about configuring CSP reporting, see Adjusting your CSP.

How is this doc?

HIPAA

Using cside for HIPAA compliance monitoring of third-party scripts on pages handling PHI.

How to Setup MFA

Learn how to set up Multi-Factor Authentication (MFA) for enhanced security.

On this page

When CSP Changes Are Not RequiredWhen CSP Changes Are Required