Skip to main content
Content Security Policy (CSP) is a security standard that helps prevent cross-site scripting (XSS) attacks by controlling which resources a web page can load. Mintlify serves a default CSP that protects most sites. If you host your documentation behind a reverse proxy or firewall that overwrites the default CSP, you may need to configure CSP headers for features to function properly.

CSP directives

The following CSP directives control which resources a page can load:
  • script-src: Controls which scripts can run
  • style-src: Controls which stylesheets can load
  • font-src: Controls which fonts can load
  • img-src: Controls which images, icons, and logos can load
  • connect-src: Controls which URLs can connect to for API calls and WebSocket connections
  • frame-src: Controls which URLs can embed in frames or iframes
  • default-src: Fallback for other directives when not explicitly set

Domain allowlist

DomainPurposeCSP directiveRequired
d4tuoctqmanu0.cloudfront.netKaTeX CSS, fontsstyle-src, font-srcRequired
*.mintlify.siteDocumentation contentconnect-src, frame-srcRequired
*.mintlify.comDashboard, API, analytics proxyconnect-srcRequired
leaves.mintlify.comAssistant APIconnect-srcRequired
d3gk2c5xim1je2.cloudfront.netIcons, images, logosimg-srcRequired
d1ctpt7j8wusba.cloudfront.netMint version and release filesconnect-srcRequired
mintcdn.comImages, faviconsimg-src, connect-srcRequired
*.mintcdn.comImages, faviconsimg-src, connect-srcRequired
cdn.jsdelivr.netEmoji assets for OG imagesscript-src, img-srcRequired
mintlify.s3.us-west-1.amazonaws.comS3-hosted imagesimg-srcRequired
hcaptcha.comhCaptcha CAPTCHA verificationscript-src, frame-src, style-src, connect-src, unsafe-eval, unsafe-inlineRequired
*.hcaptcha.comhCaptcha CAPTCHA verificationscript-src, frame-src, style-src, connect-src, unsafe-eval, unsafe-inlineRequired
fonts.googleapis.comGoogle Fontsstyle-src, font-srcOptional
www.googletagmanager.comGoogle Analytics/Google Tag Manager (GTM)script-src, connect-srcOptional
cdn.segment.comSegment analyticsscript-src, connect-srcOptional
plausible.ioPlausible analyticsscript-src, connect-srcOptional
us.posthog.comPostHog analyticsconnect-srcOptional
tag.clearbitscripts.comClearbit trackingscript-srcOptional
cdn.heapanalytics.comHeap analyticsscript-srcOptional
chat.cdn-plain.comPlain chat widgetscript-srcOptional
chat-assets.frontapp.comFront chat widgetscript-srcOptional
browser.sentry-cdn.comSentry error trackingscript-src, connect-srcOptional
js.sentry-cdn.comSentry JavaScript SDKscript-srcOptional

Example CSP configuration

Only include domains for services that you use. Remove any analytics domains that you have not configured for your documentation.

Common configurations by proxy type

Most reverse proxies support adding custom headers.

Cloudflare configuration

Create a Response Header Transform Rule:
  1. In your Cloudflare dashboard, go to Rules > Overview.
  2. Click Create rule > Response Header Transform Rule.
  3. Configure the rule:
  • Modify response header: Set static
  • Header name: Content-Security-Policy
  • Header value:
  1. Deploy your rule.

AWS CloudFront configuration

Add a response headers policy in CloudFront:

Vercel configuration

Add to your vercel.json:

Troubleshooting

Identify CSP violations in your browser console:
  1. Open your browser’s Developer Tools.
  2. Go to the Console tab.
  3. Look for errors starting with:
    • Content Security Policy: The page's settings blocked the loading of a resource
    • Refused to load the script/stylesheet because it violates the following Content Security Policy directive
    • Refused to connect to because it violates the following Content Security Policy directive