Detection Tag - Content Security Policy
If you have any Content Security Policies (CSP) set up on your website, you will need to make some updates to all the Detection Tag to run properly.
Below, all instances of
[CNAME] must be replaced with the first-party domain that is configured as a CNAME to the
Human Security domain serving the Detection Tag.
This ruleset provides the minimal permissions required by the Detection Tag.
Note: Please check the Rule Conflicts section below to avoid potential issues.
script-src-elem s.[CNAME] 'unsafe-inline' connect-src s.[CNAME] img-src s.[CNAME] worker-src blob: style-src 'unsafe-inline'
CSP directives work in a hierarchy, e.g. if
script-src-elem is absent, the browser will look for the
and if that is absent it will look for
worker-src is absent, the browser will first look for the
child-src directive, then the
then finally for the
These parent directives can be used in place of the ones in the recommended ruleset, but they are not recommended as they open the possibility for higher-order blocking directive (e.g. script-src-elem 'none') to interfere with the Detection Tag.