Meta CSP policy


Can anyone share meta CSP policy settings

1 Like

We have CSP enabled on Meta, and recommend everyone keeps it enabled on their own sites! It provides a good layer of protection against exploits. Content Security Policy (CSP) - HTTP | MDN


I’ll translate that :wink: We don’t have too many settings of CSP to share. Only on or off…

It is other systems where system admins can easily adjust CSP. Discourse is not one of those.

(Off topic, but CSP is strongly overrated, because there must use so many settings that actually allow too many things weekening CSP. And in global sites google ads and CSP is pain in the tender places…)


You can add new domains to the script src CSP policy in site settings, which is the main use case for our users.

Plugins can extend any other CSP directives.


Good to know I/we can override default with full scale CSP. Everyday something new :+1:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.