Content Security Policy (CSP)

To configure a CSP that works with Bytescale, include the following directives in your Content-Security-Policy HTTP response header:

connect-src https://upcdn.io https://api.bytescale.com https://upload-prod-files.s3.dualstack.us-east-1.amazonaws.com;
img-src https://upcdn.io;
media-src https://upcdn.io;

Explanation:

• This policy allows img, video, and audio elements to be loaded from the Bytescale CDN (upcdn.io).

• This policy also allows Bytescale API calls (api.bytescale.com and upload-prod-files.s3.dualstack.us-east-1.amazonaws.com).

• If you need to support additional asset types, add the necessary directives, or use broader ones to fit your use case.

CSP headers play a critical role in strengthening the security of your web application by controlling what content is allowed to load.

Here's why they matter:

• Prevent XSS Attacks: CSP restricts the execution of unauthorized scripts, preventing attackers from injecting and executing malicious code through Cross-Site Scripting (XSS).
• Block Untrusted Resources: By limiting the sources of scripts, styles, and other assets, CSP prevents your app from loading content from untrusted domains that may contain malicious code.
• Mitigate Data Theft: CSP helps prevent unauthorized scripts from being executed, blocking attacks that aim to steal sensitive user data, like login credentials or payment details.
• Protect Against Clickjacking: CSP can prevent your app from being embedded into malicious iframes, protecting users from clickjacking attacks.
• Ensure Secure Connections: By enforcing HTTPS in your CSP, you ensure that content is only loaded over secure, encrypted connections, protecting against man-in-the-middle attacks.

Implementing CSP headers is an essential layer of defense in safeguarding your application from a wide range of security threats.