Add missing hostnames to CSP configuration (#1202)

* Add missing hostnames to CSP configuration

Added 13 missing domains found in comprehensive codebase search:
- *.mintlify.com (dashboard, API, analytics proxy)
- leaves.mintlify.com (GitLab webhooks)
- d1ctpt7j8wusba.cloudfront.net (mint releases)
- mintcdn.com (asset tracking)
- api.mintlifytrieve.com (search API)
- mintlify-assets.b-cdn.net (BunnyCDN)
- mintlify.s3-us-west-1.amazonaws.com (S3 images)
- fonts.googleapis.com (Google Fonts)
- cdn.jsdelivr.net (emoji assets)
- us.posthog.com (PostHog analytics)
- cdn.getkoala.com (Koala analytics)
- browser.sentry-cdn.com (Sentry error tracking)
- js.sentry-cdn.com (Sentry SDK)

Updated domain whitelist table and all CSP configuration examples
(Cloudflare, AWS CloudFront, Vercel) to include required domains.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

* Apply suggestions from code review

Co-authored-by: Mayank Shouche <[email protected]>

* Update guides/csp-configuration.mdx

Co-authored-by: Lucas <[email protected]>

* Update guides/csp-configuration.mdx

* Update CSP examples to match revised domain whitelist

- Remove mintlify-assets.b-cdn.net and mintlify.s3-us-west-1.amazonaws.com
- Add *.mintcdn.com wildcard domain to img-src and connect-src
- Update all configuration examples (main, Cloudflare, AWS CloudFront, Vercel)
- Align with reviewer feedback from PR #1202

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

* remove redundancies in examples

---------

Co-authored-by: Claude <[email protected]>
Co-authored-by: Mayank Shouche <[email protected]>
Co-authored-by: Lucas <[email protected]>

Author: 4 people

guides/csp-configuration.mdx

@@ -23,15 +23,27 @@ The following CSP directives are used to control which resources can be loaded:
 | Domain | Purpose | CSP directive | Required |
 |:-------|:--------|:--------------|:-------|
 | `d4tuoctqmanu0.cloudfront.net` | KaTeX CSS, fonts | `style-src`, `font-src` | Required |
-| `*.mintlify.dev` | Documentation content | `connect-src` | Required |
+| `*.mintlify.dev` | Documentation content | `connect-src`, `frame-src` | Required |
+| `*.mintlify.com` | Dashboard, API, analytics proxy | `connect-src` | Required |
+| `leaves.mintlify.com` | Assistant API | `connect-src` | Required |
 | `d3gk2c5xim1je2.cloudfront.net` | Icons, images, logos | `img-src` | Required |
+| `d1ctpt7j8wusba.cloudfront.net` | Mint version and release files | `connect-src` | Required |
+| `mintcdn.com` | Images, favicons | `img-src`, `connect-src` | Required |
+| `*.mintcdn.com` | Images, favicons | `img-src`, `connect-src` | Required |
+| `api.mintlifytrieve.com` | Search API | `connect-src` | Required |
+| `cdn.jsdelivr.net` | Emoji assets for OG images | `script-src`, `img-src` | Required |
+| `fonts.googleapis.com` | Google Fonts | `style-src`, `font-src` | Optional |
 | `www.googletagmanager.com` | Google Analytics/GTM | `script-src`, `connect-src` | Optional |
 | `cdn.segment.com` | Segment analytics | `script-src`, `connect-src` | Optional |
 | `plausible.io` | Plausible analytics | `script-src`, `connect-src` | Optional |
+| `us.posthog.com` | PostHog analytics | `connect-src` | Optional |
+| `cdn.getkoala.com` | Koala analytics | `script-src` | Optional |
 | `tag.clearbitscripts.com` | Clearbit tracking | `script-src` | Optional |
 | `cdn.heapanalytics.com` | Heap analytics | `script-src` | Optional |
 | `chat.cdn-plain.com` | Plain chat widget | `script-src` | Optional |
 | `chat-assets.frontapp.com` | Front chat widget | `script-src` | Optional |
+| `browser.sentry-cdn.com` | Sentry error tracking | `script-src`, `connect-src` | Optional |
+| `js.sentry-cdn.com` | Sentry JavaScript SDK | `script-src` | Optional |
 
 ## Example CSP configuration
 
@@ -42,12 +54,14 @@ The following CSP directives are used to control which resources can be loaded:
 ```text wrap
 Content-Security-Policy:
 default-src 'self';
-script-src 'self' 'unsafe-inline' 'unsafe-eval' www.googletagmanager.com cdn.segment.com plausible.io tag.clearbitscripts.com cdn.heapanalytics.com
-chat.cdn-plain.com chat-assets.frontapp.com;
-style-src 'self' 'unsafe-inline' d4tuoctqmanu0.cloudfront.net;
-font-src 'self' d4tuoctqmanu0.cloudfront.net;
-img-src 'self' data: blob: d3gk2c5xim1je2.cloudfront.net;
-connect-src 'self' *.mintlify.dev www.googletagmanager.com cdn.segment.com plausible.io;
+script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.jsdelivr.net www.googletagmanager.com cdn.segment.com plausible.io
+us.posthog.com cdn.getkoala.com tag.clearbitscripts.com cdn.heapanalytics.com chat.cdn-plain.com chat-assets.frontapp.com
+browser.sentry-cdn.com js.sentry-cdn.com;
+style-src 'self' 'unsafe-inline' d4tuoctqmanu0.cloudfront.net fonts.googleapis.com;
+font-src 'self' d4tuoctqmanu0.cloudfront.net fonts.googleapis.com;
+img-src 'self' data: blob: d3gk2c5xim1je2.cloudfront.net mintcdn.com *.mintcdn.com cdn.jsdelivr.net;
+connect-src 'self' *.mintlify.dev *.mintlify.com d1ctpt7j8wusba.cloudfront.net mintcdn.com *.mintcdn.com
+api.mintlifytrieve.com www.googletagmanager.com cdn.segment.com plausible.io us.posthog.com browser.sentry-cdn.com;
 frame-src 'self' *.mintlify.dev;
 ```
 
@@ -66,7 +80,7 @@ Create a Response Header Transform Rule:
   - **Header name**: `Content-Security-Policy`
   - **Header value**:
     ```text wrap
-    default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' d4tuoctqmanu0.cloudfront.net; font-src 'self' d4tuoctqmanu0.cloudfront.net; img-src 'self' data: blob: d3gk2c5xim1je2.cloudfront.net; connect-src 'self' *.mintlify.dev; frame-src 'self' *.mintlify.dev;
+    default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' d4tuoctqmanu0.cloudfront.net fonts.googleapis.com; font-src 'self' d4tuoctqmanu0.cloudfront.net fonts.googleapis.com; img-src 'self' data: blob: d3gk2c5xim1je2.cloudfront.net mintcdn.com *.mintcdn.com cdn.jsdelivr.net; connect-src 'self' *.mintlify.dev *.mintlify.com d1ctpt7j8wusba.cloudfront.net mintcdn.com *.mintcdn.com api.mintlifytrieve.com; frame-src 'self' *.mintlify.dev;
     ```
 4. Deploy your rule.
 
@@ -81,7 +95,7 @@ Add a response headers policy in CloudFront:
     "Config": {
     "SecurityHeadersConfig": {
         "ContentSecurityPolicy": {
-        "ContentSecurityPolicy": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' d4tuoctqmanu0.cloudfront.net; font-src 'self' d4tuoctqmanu0.cloudfront.net; img-src 'self' data: blob: d3gk2c5xim1je2.cloudfront.net; connect-src 'self' *.mintlify.dev; frame-src 'self' *.mintlify.dev;",
+        "ContentSecurityPolicy": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' d4tuoctqmanu0.cloudfront.net fonts.googleapis.com; font-src 'self' d4tuoctqmanu0.cloudfront.net fonts.googleapis.com; img-src 'self' data: blob: d3gk2c5xim1je2.cloudfront.net mintcdn.com *.mintcdn.com cdn.jsdelivr.net; connect-src 'self' *.mintlify.dev *.mintlify.com d1ctpt7j8wusba.cloudfront.net mintcdn.com *.mintcdn.com api.mintlifytrieve.com; frame-src 'self' *.mintlify.dev;",
         "Override": true
         }
       }
@@ -102,7 +116,7 @@ Add to your `vercel.json`:
     "headers": [
         {
         "key": "Content-Security-Policy",
-        "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' d4tuoctqmanu0.cloudfront.net; font-src 'self' d4tuoctqmanu0.cloudfront.net; img-src 'self' data: blob: d3gk2c5xim1je2.cloudfront.net; connect-src 'self' *.mintlify.dev; frame-src 'self' *.mintlify.dev;"
+        "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' d4tuoctqmanu0.cloudfront.net fonts.googleapis.com; font-src 'self' d4tuoctqmanu0.cloudfront.net fonts.googleapis.com; img-src 'self' data: blob: d3gk2c5xim1je2.cloudfront.net mintcdn.com *.mintcdn.com cdn.jsdelivr.net; connect-src 'self' *.mintlify.dev *.mintlify.com d1ctpt7j8wusba.cloudfront.net mintcdn.com *.mintcdn.com api.mintlifytrieve.com; frame-src 'self' *.mintlify.dev;"
         }
       ]
     }