Use Case Information
Thought Industries offers several HTTP security headers to help you enhance the security of your instance and protect against common attacks such as cross-site scripting (XSS) and clickjacking.
The Referrer Policy Header
This header controls how much information can be sent about the origin of a URL request. This header is enabled by default for your Thought Industries instance.
Referrer-Policy: strict-origin-when-cross-origin
The Permissions Policy Header
This header (formerly known as the Feature Policy) blocks the use of certain browser features from being used in your Thought Industries instance. Your site does not have Permissions Policy Header set by default but you can optionally enable the following Permissions Policy:
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), battery=(), gyroscope=(), magnetometer=(), usb=(), xr-spatial-tracking=()
The Permissions Policy Header is behind a feature flag.
Reach out to Thought Industries Tech Success & Support for assistance to enable this feature in your instance.
The Frame Options Header
Frame Options determine if your instance can be embedded into another website via the use of frame, iframe, or object. Find this in Settings > Security > Security options.
Frame options are set to Allow by default. Use the click path above to optionally set to Allow from Same Origin.
The Content Security Policy Header
This header can limit the resources (e.g., fonts, URLs, images, scripts, etc.) that can be loaded for your Thought Industries instance.
Find this in Settings > Security > Security options.
Enable the Content Security Policy
- Set the Content Security Policy to Enabled to enforce a baseline CSP in response headers.
- We highly recommend using this feature with CSP Report Only enabled so that your resources aren’t unintentionally being blocked from your users. See developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only for more information.
- Optionally enter a CSP Report URI, an endpoint of your choosing where we will send POST requests of the CSP report violations found by your users using your instance. These violations will also show up live in the browser’s developer console whether or not the CSP Report URI is set. See below for an example POST payload to that endpoint.
Example
See below for an example POST payload to that endpoint. Thought Industries continually tracks reports and adds to this baseline list using the Report-Only mode.
Add Custom CSP Sources
As you collect these reports and find valid resources you want to allow by including them in your Content-Security-Policy header, the “Custom CSP Sources” section is where they can be added.
Select a Directive and add Sources to their input fields (Click Add Source to select a new Directive if it’s not yet listed).
Each of the sources should be separated by a single space for any given directive:
Allow Tracking Scripts Site
Find this in Settings > Integrations > Tracking Scripts or append /learn/manager/security-settings to your URL.
When you have a Content Security Policy enabled, inline scripts are by default blocked from executing unless they contain a nonce value.
In each CSP response header, we generate a nonce to be used for your inline script tags wherever a {{cspNonce}} substitution is available.
See developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_inline_script for more information.
The Content Security Policy Header is behind a feature flag.
Reach out to Thought Industries Tech Success & Support for assistance to enable this feature in your instance.