---
title: "CSP and firewall rules for document authoring"
canonical_url: "https://www.nutrient.io/guides/document-authoring/content-security-policy-and-firewall-rules/"
md_url: "https://www.nutrient.io/guides/document-authoring/content-security-policy-and-firewall-rules.md"
last_updated: "2026-06-15T07:45:53.408Z"
description: "Learn about implementing content security policies and firewall rules for enhanced protection in document authoring applications."
---

# Enhancing document authoring with CSP guidelines

This guide may apply to you if you aren’t [self-hosting assets](https://www.nutrient.io/guides/document-authoring/self-hosting-assets.md). By default, we load most assets from our content delivery network (CDN). Self-hosting is a great choice for those who want either more control or offline-first capabilities.

Content Security Policy (CSP) headers are an essential security feature designed to help protect web applications from various types of attacks, such as cross-site scripting (XSS) and data injection attacks. CSP allows you to specify the sources from which the browser is permitted to load resources, such as scripts, styles, and images, thereby reducing the risk of malicious code execution.

For more detailed information on CSP, refer to the [MDN Web Docs on CSP](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP).

## Default secure CSP (CSPv3)

By default, we support a strict CSPv3 configuration, which includes the `strict-dynamic` directive and nonce-based script management. See this [web.dev article](https://web.dev/articles/strict-csp) for more details:

```text

Content-Security-Policy:
  script-src 'nonce-{random}' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:;
  object-src 'none';
  base-uri 'self';

```

If you already have this policy in place, no changes are needed. Just remember to add nonce sources for scripts used by us. Nonces are unique values that are generated for each request, allowing you to identify which scripts are trusted. Learn more about using nonces in [this tutorial on CSP](https://web.dev/articles/csp).

## CSPv2 and CSPv1

If your application cannot use CSPv3 features and must rely on source allowlisting, below are the relevant directives you’ll need to implement for Document Authoring to function correctly.

## Example CSP configuration for CSPv2/CSPv1

```text

script-src:
  https://document-authoring.cdn.nutrient.io

```

If you’re applying other CSP directives, you’ll need to include the following entries to ensure Document Authoring functions correctly:

```text

connect-src:
  https://document-authoring.cdn.nutrient.io

child-src:
  https://document-authoring.cdn.nutrient.io

font-src:
  https://document-authoring.cdn.nutrient.io

img-src:
  blob:
  data:
  https://document-authoring.cdn.nutrient.io

style-src:
  'unsafe-inline'

```

If your service only supports CSPv3, note that the `child-src` directive has been deprecated and replaced by `frame-src` and `worker-src` directives. You’ll need to use these in place of `child-src` for modern CSP configurations.

## Using CSP via a meta tag

Outside of setting CSP headers server-side, you can also specify CSP directives directly in your HTML using a `<meta>` tag:

```html

<meta
	http-equiv="Content-Security-Policy"
	content="default-src 'self'; script-src 'nonce-{random}' https://document-authoring.cdn.nutrient.io;"
/>

```

This method is particularly useful for testing CSP configurations or when server-side header management isn’t possible.

## Firewall considerations

In addition to configuring your CSP directives, if you’re behind a firewall, you may need to allow certain domains in your firewall settings to ensure Document Authoring functions correctly. The domain(s) listed above should be allowlisted in your firewall to allow outbound connections.

## Other resources

By following these guidelines, you’ll ensure that all functionality works out of the box and adheres to good security practices. Remember to keep your CSP directives updated as your application evolves and to test your configuration thoroughly to avoid breaking functionality.

For more in-depth guidance on CSP, refer to the [MDN Web Docs](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) and consider using tools like [CSP Evaluator](https://csp-evaluator.withgoogle.com/) to analyze and refine your policy.
---

## Related pages

- [Use copy/paste and HTML interoperability](/guides/document-authoring/copy-paste-and-html-interoperability.md)
- [Customize actions and the toolbar](/guides/document-authoring/customize-actions-and-toolbar.md)
- [Agent skill](/guides/document-authoring/agent-skill.md)
- [Document Authoring SDK](/guides/document-authoring.md)
- [Changelog for Document Authoring SDK](/guides/document-authoring/changelog.md)
- [Use events and integration APIs](/guides/document-authoring/events-and-integration.md)
- [Get started with Document Authoring guides](/guides/document-authoring/intro.md)
- [How to self-host Document Authoring assets](/guides/document-authoring/self-hosting-assets.md)