|Classes of Scott Arciszewski||>||CMS Airship||>||docs/en-us/02-basic-usage/admin-features/Content-Security-Policy.md||>||Download|
Managing Content-Security-Policy Headers
Content-Security-Policy headers are like a seatbelt for your passengers. In the unfortunate event of a XSS vulnerability, it adds a layer of exploit mitigation enforced by the user's browsers. Although XSS vulnerabilities in Airship should be a rare occurrence (at worst), these headers are offered in case one ever surfaces.
There are two places where Content Security Policies are managed:
Universal Content Security Policy
This is the base policy for your Airship install. Cabins' Content Security Policies may be inherited from the Universal rule set. (This inheritance is completely optional, of course.)
The Add Source button allows you to specify a third-party domain name that you wish your users' browsers to permit third party resources be loaded from without any additional checks. This is recommended for third-party APIs such as ReCAPTCHA or CDNs.
Why is Google whitelisted by default?
Cabin-Specific Content Security Policies
Cabins have one additional option: Include, and extend, the Universal CSP Rules? If checked, you can only add exceptions ot the Universal rules, not lock it down further. If you wish for one Cabin to me more restrictive than the others, uncheck it.