Skip to main content
Content Security Policy (CSP) is a security standard that helps prevent cross-site scripting (XSS) attacks by controlling which resources a web page can load. Mintlify serves a default CSP that protects most sites. If you host your documentation behind a reverse proxy or firewall, that overwrites the default CSP, you may need to configure CSP headers for features to function properly.

CSP directives

The following CSP directives control which resources a page can load:
  • script-src: Controls which scripts can run
  • style-src: Controls which stylesheets can load
  • font-src: Controls which fonts can load
  • img-src: Controls which images, icons, and logos can load
  • connect-src: Controls which URLs can connect to for API calls and WebSocket connections
  • frame-src: Controls which URLs can embed in frames or iframes
  • default-src: Fallback for other directives when not explicitly set

Domain allowlist

DomainPurposeCSP directiveRequired
d4tuoctqmanu0.cloudfront.netKaTeX CSS, fontsstyle-src, font-srcRequired
*.mintlify.devDocumentation contentconnect-src, frame-srcRequired
*.mintlify.comDashboard, API, analytics proxyconnect-srcRequired
leaves.mintlify.comAssistant APIconnect-srcRequired
d3gk2c5xim1je2.cloudfront.netIcons, images, logosimg-srcRequired
d1ctpt7j8wusba.cloudfront.netMint version and release filesconnect-srcRequired
mintcdn.comImages, faviconsimg-src, connect-srcRequired
*.mintcdn.comImages, faviconsimg-src, connect-srcRequired
cdn.jsdelivr.netEmoji assets for OG imagesscript-src, img-srcRequired
mintlify.s3.us-west-1.amazonaws.comS3-hosted imagesimg-srcRequired
fonts.googleapis.comGoogle Fontsstyle-src, font-srcOptional
www.googletagmanager.comGoogle Analytics/GTMscript-src, connect-srcOptional
cdn.segment.comSegment analyticsscript-src, connect-srcOptional
plausible.ioPlausible analyticsscript-src, connect-srcOptional
us.posthog.comPostHog analyticsconnect-srcOptional
tag.clearbitscripts.comClearbit trackingscript-srcOptional
cdn.heapanalytics.comHeap analyticsscript-srcOptional
chat.cdn-plain.comPlain chat widgetscript-srcOptional
chat-assets.frontapp.comFront chat widgetscript-srcOptional
browser.sentry-cdn.comSentry error trackingscript-src, connect-srcOptional
js.sentry-cdn.comSentry JavaScript SDKscript-srcOptional

Example CSP configuration

Only include domains for services that you use. Remove any analytics domains that you have not configured for your documentation.
Content-Security-Policy:
default-src 'self';
script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.jsdelivr.net www.googletagmanager.com cdn.segment.com plausible.io
us.posthog.com tag.clearbitscripts.com cdn.heapanalytics.com chat.cdn-plain.com chat-assets.frontapp.com
browser.sentry-cdn.com js.sentry-cdn.com;
style-src 'self' 'unsafe-inline' d4tuoctqmanu0.cloudfront.net fonts.googleapis.com;
font-src 'self' d4tuoctqmanu0.cloudfront.net fonts.googleapis.com;
img-src 'self' data: blob: d3gk2c5xim1je2.cloudfront.net mintcdn.com *.mintcdn.com cdn.jsdelivr.net mintlify.s3.us-west-1.amazonaws.com;
connect-src 'self' *.mintlify.dev *.mintlify.com d1ctpt7j8wusba.cloudfront.net mintcdn.com *.mintcdn.com
www.googletagmanager.com cdn.segment.com plausible.io us.posthog.com browser.sentry-cdn.com;
frame-src 'self' *.mintlify.dev;

Common configurations by proxy type

Most reverse proxies support adding custom headers.

Cloudflare configuration

Create a Response Header Transform Rule:
  1. In your Cloudflare dashboard, go to Rules > Overview.
  2. Select Create rule > Response Header Transform Rule.
  3. Configure the rule:
  • Modify response header: Set static
  • Header name: Content-Security-Policy
  • Header value: 
    default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' d4tuoctqmanu0.cloudfront.net fonts.googleapis.com; font-src 'self' d4tuoctqmanu0.cloudfront.net fonts.googleapis.com; img-src 'self' data: blob: d3gk2c5xim1je2.cloudfront.net mintcdn.com *.mintcdn.com cdn.jsdelivr.net mintlify.s3.us-west-1.amazonaws.com; connect-src 'self' *.mintlify.dev *.mintlify.com d1ctpt7j8wusba.cloudfront.net mintcdn.com *.mintcdn.com; frame-src 'self' *.mintlify.dev;
  1. Deploy your rule.

AWS CloudFront configuration

Add a response headers policy in CloudFront: 
{
"ResponseHeadersPolicy": {
    "Name": "MintlifyCSP",
    "Config": {
    "SecurityHeadersConfig": {
        "ContentSecurityPolicy": {
        "ContentSecurityPolicy": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' d4tuoctqmanu0.cloudfront.net fonts.googleapis.com; font-src 'self' d4tuoctqmanu0.cloudfront.net fonts.googleapis.com; img-src 'self' data: blob: d3gk2c5xim1je2.cloudfront.net mintcdn.com *.mintcdn.com cdn.jsdelivr.net mintlify.s3.us-west-1.amazonaws.com; connect-src 'self' *.mintlify.dev *.mintlify.com d1ctpt7j8wusba.cloudfront.net mintcdn.com *.mintcdn.com; frame-src 'self' *.mintlify.dev;",
        "Override": true
        }
      }
    }
  }
}

Vercel configuration

Add to your vercel.json: 
{
"headers": [
    {
    "source": "/(.*)",
    "headers": [
        {
        "key": "Content-Security-Policy",
        "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' d4tuoctqmanu0.cloudfront.net fonts.googleapis.com; font-src 'self' d4tuoctqmanu0.cloudfront.net fonts.googleapis.com; img-src 'self' data: blob: d3gk2c5xim1je2.cloudfront.net mintcdn.com *.mintcdn.com cdn.jsdelivr.net mintlify.s3.us-west-1.amazonaws.com; connect-src 'self' *.mintlify.dev *.mintlify.com d1ctpt7j8wusba.cloudfront.net mintcdn.com *.mintcdn.com; frame-src 'self' *.mintlify.dev;"
        }
      ]
    }
  ]
}

Troubleshooting

Identify CSP violations in your browser console:
  1. Open your browser’s Developer Tools.
  2. Go to the Console tab.
  3. Look for errors starting with:
    • Content Security Policy: The page's settings blocked the loading of a resource
    • Refused to load the script/stylesheet because it violates the following Content Security Policy directive
    • Refused to connect to because it violates the following Content Security Policy directive