Content Security Policy

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. (Source: Mozilla)

If you are using source allowlisting, use the following for Content Security Policy:

style-src:
  'unsafe-inline'
  https://fonts.googleapis.com
font-src:
  https://fonts.gstatic.com
connect-src:
  https://checklist.api.getalvis.com
child-src:
  https://onboarding-widget.getalvis.com
script-src:
  https://assets.getalvis.com

And, if you need to inject the script separately instead of including it in one of your scripts, you'll need to use nonce. (i.e. script-src 'nonce-rAnd0m' and <script nonce="rAnd0m">...)

If you cannot use the nonce method, you can only use the hash method.  1. Go to Dashboard, click the top right corner and click Install, then copy the installation script. 2. Paste into the place where you want to put the script. Then copy exactly what is between <script> and </script>, and put it into https://report-uri.com/home/hash to generate the hash. 3. Add the generated hash to script-src. Also checkout how to use Intercom with Content Security Policy.

Last updated

Was this helpful?