Content Security Policy

As an additional layer of defense against cross-site scripting (XSS), clickjacking and other code injection attacks, it's recommended to put strict Content Security Policy directives in place.

This page describes which directives are required in order for the Secure fields solution to work correctly.


This document assumes that the reader already has a restrictive Content Security Policy in place. Once a CSP header is being sent, all internal and external resources must be present.

In order to avoid CSP violations, make sure to declare further script, style and frame sources depending on your project.



Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self'