Content security rules
Content security rules (previously known as policies) define the resources allowed on your applications through Content Security Policy (CSP) directives. These rules can log violations and also enforce an allowlist of resources, effectively blocking resources not included in the policies. These two types of content security rules are called log rules and allow rules, respectively.
Create allow rules to define a positive security model, also known as positive blocking. According to this model, you define what is allowed and reject everything else. Such an approach helps you reduce the attack surface for unwanted third-party scripts in your application.
A content security rule can control both client-side resources monitored by Cloudflare, such as scripts and their connections, and other types of resources. Refer to Supported CSP directives for details.
A content security rule can perform one of the following actions:
- Log: Cloudflare will log any resources not covered by the rule, without blocking any resources. Use this action to validate a new content security rule before deploying it. Resources not covered by the rule will be reported as rule violations.
- Allow: Cloudflare will block any resources not explicitly allowed by the content security rule. Switch to the Allow action after validating a new rule with the Log action, so that your content security rule does not block essential application resources, which would affect your application's end users. Rules with the Allow action will log rule violations for any blocked resources.
For details on the CSP directives Cloudflare creates for each type of rule action, refer to How client-side security works. For more information on the CSP directives supported by content security rules, refer to Supported CSP directives.
| Log rule | Allow rule | |
|---|---|---|
| CSP header | content-security-policy-report-only | content-security-policy |
| Browser action | Loads all resources | Blocks resources not in your allowlist |
| Violations | Reported to Cloudflare without blocking | Logged by Cloudflare after blocking |
| Use case | Validate a rule before enforcing it | Enforce a positive security model |
Refer to the following pages for instructions on creating a content security rule:
- Create a content security rule in the dashboard
- Client-side security API: Create a content security rule
Shortly after you configure content security rules, the Cloudflare dashboard will start displaying any violations of those rules.
You can filter client-side security alert notifications according to the content security rules you configured in a zone. These alerts are called scoped alerts.