Overview of the Content Security Policy (CSP)
If you want to add additional protection to your sites from certain web browser attacks, you can include a special HTTP header called the Content Security Policy (CSP) designed to instruct the browser how to best render and request resources such as images, styles, and JavaScript.
CSPs can be implemented in a number of ways. For more information on how you can implement CSPs, visit Mozilla’s Content Security Policy (CSP) documentation.
CSP can be used with the HTTP header “Content-Security-Policy” with a string containing directives that control the rendering and requesting of resources. Here is an example of a <meta>
tag in the <head>
section of an HTML page:
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; style-src 'self' 'unsafe-inline'; script-src https://ajax.googleapis.com">
Kount directives for CSP
Combinations of CSP directives are based on how the pages are built. For fingerprinting to work correctly, there are a few special directives to add.
For all Kount products, use https://*.kaptcha.com
, as it is the recommended domain for our data collector.
The following is the list of the CSP settings that need to be allowed for the kaptcha.com domain:
img-src https://*.kaptcha.com
–
Informs the browser that images can be loaded from https://*.kaptcha.com
. This is to load our logo.gif
.
connect-src 'self' 'unsafe-eval' 'unsafe-inline' https://*.kaptcha.com
–
Informs the browser to allow downloading of our JavaScript to create 1st party cookies and inject an unseen iFrame to run the collector code.
child-src https://*.kaptcha.com
–
Informs the browser that child documents (iFrames) can be loaded from https://*.kaptcha.com. This ensures the iFrame that does all the work gets loaded.
script-src 'unsafe-eval' 'unsafe-inline'
https://*.kaptcha.com
–
Informs the browser that it is safe to run the JavaScript that creates the SDK client, sets up the callbacks, and initiates the data collection.
Here is an example HTML tag for Kaptcha. This should only be used in addition to or combined with other existing CSP meta tags on the site:
<meta http-equiv="Content-Security-Policy" content="img-src https://*.kaptcha.com;connect-src 'self' 'unsafe-eval' 'unsafe-inline' https://*.kaptcha.com; script-src 'unsafe-eval' 'unsafe-inline' https://*.kaptcha.com; child src https://*.kaptcha.com">