Content Security Policy (CSP) is a security related feature which helps to manage and prevent the external CSS, scripts, and frames embedded in your Knowledge base. When the content security policy is enabled in the project, the Content-Security-Policy response header will be added to the request header with the default allowed domains for each source. It restricts the resource loading from external domains and allows resources only from the configured list of domains for each source.

How to enable the content security policy?

1. Go to Settings → Users & Security → Security
2. Turn on the Enable content security policy toggle

3. You can find the following source fields:
   a. Style source
   b. Script source
   c. Frame source
4. Type in the desired domain URLs in the respective fields
5. Click Save

a. Style source

In the Style source field, you can define the valid sources of stylesheets that can be applied to your Knowledge base. Configuring the style sources will prevent malicious styles from being used to execute Cross-Site Scripting (XSS) attacks on your Knowledge base.

• Type the domain URLs of stylesheet sources in this field
• All the stylesheets from other URLs will be restricted

b. Script source

In the Script source field, you can define the valid sources of JavaScript codes that can be executed on your Knowledge base. This helps to prevent malicious JavaScript code from being executed, even if it has been injected into the Knowledge base by an attacker.

• Type the domain URLs of Javascript sources in this field
• All the JavaScript codes from other URLs will be restricted

c. Frame source

In the Frame source field, you can define the valid sources of frame elements like <frame> and <iframe> that can be embedded in your Knowledge base.

• Type the domain URLs of frame sources in this field
• All the frames from other URLs will be restricted