| Directive | Value | Explanation |
|---|---|---|
connect-src | https://*.sovendus.com https://www.sovendus-benefits.com https://www.sovendus-campaign.com https://www.sovendus-connect.com https://www.sovendus-network.com | Controls which URLs the site can make network requests to (XMLHttpRequest, WebSocket, fetch). Required for API calls and data fetching from Sovendus services. |
font-src | https://*.sovendus.com | Specifies valid sources for fonts loaded with @font-face. Allows custom fonts from Sovendus domains to ensure consistent branding and typography. |
frame-src | https://*.sovendus.com https://www.sovendus-benefits.com https://www.sovendus-campaign.com https://www.sovendus-connect.com https://www.sovendus-network.com | Controls which URLs can be embedded as frames/iframes. Essential for displaying Sovendus voucher banners and embedded content securely. |
img-src | data: https://*.sovendus.com | Defines valid sources for images. Includes data: for inline base64 images and Sovendus domains for voucher logos, brand images, and promotional graphics. |
script-src | 'unsafe-inline' https://*.sovendus.com | Specifies valid sources for JavaScript. 'unsafe-inline' allows inline scripts, and Sovendus domains enable loading of tracking and banner functionality scripts. |
style-src |
Content-Security-Policy: connect-src 'self' https://*.sovendus.com https://www.sovendus-benefits.com https://www.sovendus-campaign.com https://www.sovendus-connect.com https://www.sovendus-network.com; font-src
<meta http-equiv="Content-Security-Policy" content=" connect-src 'self' https://*.sovendus.com https://www.sovendus-benefits.com https://www.sovendus-campaign.com https://www.sovendus-connect.com https://www.sovendus-network.com; font-src 'self' https://*.sovendus.com; frame-src 'self' https://*.sovendus.com https://www.sovendus-benefits.com https://www.sovendus-campaign.com https://www.sovendus-connect.com https://www.sovendus-network.com; img-src '
<IfModule mod_headers.c> Header always set Content-Security-Policy "connect-src 'self' https://*.sovendus.com https://www.sovendus-benefits.com https://www.sovendus-campaign.com https://www.sovendus-connect.com https://www.sovendus-network.com; font-src 'self' https://*.sovendus.com; frame-src 'self' https://*.sovendus.com https://www.sovendus-benefits.com https://www.sovendus-campaign.com https://www.sovendus-connect.com https://www.sovendus-network.com; img-src 'self' data: https://*.sovendus.com; script-src 'self' 'unsafe-inline' https://*.sovendus.com; style-src 'self' 'unsafe-inline' https://*.sovendus.com;" </IfModule>
add_header Content-Security-Policy "connect-src 'self' https://*.sovendus.com https://www.sovendus-benefits.com https://www.sovendus-campaign.com https://www.sovendus-connect.com https://www.sovendus-network.com; font-src 'self' https://*.sovendus.com; frame-src 'self' https://*.sovendus.com https://www.sovendus-benefits.com https://www.sovendus-campaign.com https://www.sovendus-connect.com https://www.sovendus-network.com; img-src 'self' data: https://*.sovendus.com; script-src 'self' 'unsafe-inline' https://*.sovendus.com; style-src 'self' 'unsafe-inline' https://*.sovendus.com;" always;
const express = require('express'); const app = express(); app.use((req, res, next) => { res.
<?php header("Content-Security-Policy: connect-src 'self' https://*.sovendus.com https://www.sovendus-benefits.com https://www.sovendus-campaign.com https://www.sovendus-connect.com https://www.sovendus-network.com; font-src 'self' https://*.sovendus.com; frame-src 'self' https://*.sovendus.com https://www.sovendus-benefits.com https://www.sovendus-campaign.com https://www.sovendus-connect.com https://www.sovendus-network.com; img-src 'self' data: https://*.sovendus.com; script-src 'self' 'unsafe-inline' https://*.sovendus.com; style-src 'self' 'unsafe-inline' https://*.sovendus.com;"); ?>
| Error | Cause | Solution |
|---|---|---|
Refused to connect | Missing connect-src | Add Sovendus domains to connect-src |
Refused to load font | Missing font-src | Add https://*.sovendus.com to font-src |
Refused to frame | Missing frame-src | Add Sovendus domains to frame-src |
Refused to load image | Missing img-src | Add data: and Sovendus domains to img-src |
Refused to execute script | Missing script-src | Add 'unsafe-inline' and Sovendus domains |
Refused to apply style | Missing style-src | Add 'unsafe-inline' and Sovendus domains |
// Monitor CSP violations in browser console window.addEventListener('securitypolicyviolation', (e) => { console.log('CSP Violation:', { directive: e.violatedDirective,
# Test CSP headers with curl curl -I https://yoursite.com | grep -i content-security-policy # Validate CSP syntax # Use online CSP validators or browser dev tools
# Start with report-only mode for testing Content-Security-Policy-Report-Only: connect-src 'self' https://*.sovendus.com; report-uri /csp-report # Then switch to enforcement mode Content-Security-Policy: connect-src 'self' https://*.sovendus.com;
