Detection Tag - Content Security Policy

If you have any Content Security Policies (CSP) set up on your website, you will need to make some updates to all the Detection Tag to run properly.

CSP Options

Below, all instances of [CNAME] must be replaced with the first-party domain that is configured as a CNAME to the Human Security domain serving the Detection Tag.

This ruleset provides the minimal permissions required by the Detection Tag.

Note: Please check the Rule Conflicts section below to avoid potential issues.

script-src-elem s.[CNAME] 'unsafe-inline'
connect-src s.[CNAME]
img-src s.[CNAME]
worker-src blob:
style-src 'unsafe-inline'

Rule Conflicts

CSP directives work in a hierarchy, e.g. if script-src-elem is absent, the browser will look for the script-src, and if that is absent it will look for default-src.

If worker-src is absent, the browser will first look for the child-src directive, then the script-src directive, then finally for the default-src directive.

These parent directives can be used in place of the ones in the recommended ruleset, but they are not recommended as they open the possibility for higher-order blocking directive (e.g. script-src-elem 'none') to interfere with the Detection Tag.