Skip to main content
Content Security Policy (CSP) is a security standard that helps prevent cross-site scripting (XSS) attacks by controlling which resources a web page can load. Mintlify serves a default CSP that protects most sites. If you host your documentation behind a reverse proxy or firewall that overwrites the default CSP, you may need to configure CSP headers for features to function properly.

CSP directives

The following CSP directives control which resources a page can load:
  • script-src: Controls which scripts can run
  • style-src: Controls which stylesheets can load
  • font-src: Controls which fonts can load
  • img-src: Controls which images, icons, and logos can load
  • connect-src: Controls which URLs can connect to for API calls and WebSocket connections
  • frame-src: Controls which URLs can embed in frames or iframes
  • default-src: Fallback for other directives when not explicitly set

Domain allowlist

Example CSP configuration

Only include domains for services that you use. Remove any analytics domains that you have not configured for your documentation.

Common configurations by proxy type

Most reverse proxies support adding custom headers.

Cloudflare configuration

Create a Response Header Transform Rule:
  1. In your Cloudflare dashboard, go to Rules > Overview.
  2. Click Create rule > Response Header Transform Rule.
  3. Configure the rule:
  • Modify response header: Set static
  • Header name: Content-Security-Policy
  • Header value:
  1. Deploy your rule.

AWS CloudFront configuration

Add a response headers policy in CloudFront:

Vercel configuration

Add to your vercel.json:

Troubleshooting

Identify CSP violations in your browser console:
  1. Open your browser’s Developer Tools.
  2. Go to the Console tab.
  3. Look for errors starting with:
    • Content Security Policy: The page's settings blocked the loading of a resource
    • Refused to load the script/stylesheet because it violates the following Content Security Policy directive
    • Refused to connect to because it violates the following Content Security Policy directive