Skip to content

Add missing hostnames to CSP configuration #1202

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Sep 18, 2025
Merged

Add missing hostnames to CSP configuration #1202

Changes from 3 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
59b9806
Add missing hostnames to CSP configuration
ethanpalm Sep 18, 2025
2499f5d
Apply suggestions from code review
ethanpalm Sep 18, 2025
11ba30d
Update guides/csp-configuration.mdx
ethanpalm Sep 18, 2025
f8fd54c
Update guides/csp-configuration.mdx
ethanpalm Sep 18, 2025
6ae2119
Update CSP examples to match revised domain whitelist
ethanpalm Sep 18, 2025
abf4815
remove redundancies in examples
ethanpalm Sep 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 25 additions & 10 deletions guides/csp-configuration.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,15 +23,27 @@
| Domain | Purpose | CSP directive | Required |
|:-------|:--------|:--------------|:-------|
| `d4tuoctqmanu0.cloudfront.net` | KaTeX CSS, fonts | `style-src`, `font-src` | Required |
| `*.mintlify.dev` | Documentation content | `connect-src` | Required |
| `*.mintlify.dev` | Documentation content | `connect-src`, `frame-src` | Required |
| `*.mintlify.com` | Dashboard, API, analytics proxy | `connect-src` | Required |
| `leaves.mintlify.com` | Assistant API | `connect-src` | Required |
| `d3gk2c5xim1je2.cloudfront.net` | Icons, images, logos | `img-src` | Required |
| `d1ctpt7j8wusba.cloudfront.net` | Mint version and release files | `connect-src` | Required |
| `mintcdn.com` | Images, favicons | `img-src`, `connect-src` | Required |

Check warning on line 31 in guides/csp-configuration.mdx

View check run for this annotation

Mintlify / Mintlify Validation (mintlify) - vale-spellcheck

guides/csp-configuration.mdx#L31 

Did you really mean 'favicons'?
| `*.mintcdn.com` | Images, favicons | `img-src`, `connect-src` | Required |

Check warning on line 32 in guides/csp-configuration.mdx

View check run for this annotation

Mintlify / Mintlify Validation (mintlify) - vale-spellcheck

guides/csp-configuration.mdx#L32 

Did you really mean 'favicons'?
| `api.mintlifytrieve.com` | Search API | `connect-src` | Required |
| `fonts.googleapis.com` | Google Fonts | `style-src`, `font-src` | Optional |
| `cdn.jsdelivr.net` | Emoji assets for OG images | `script-src`, `img-src` | Required |
| `www.googletagmanager.com` | Google Analytics/GTM | `script-src`, `connect-src` | Optional |
| `cdn.segment.com` | Segment analytics | `script-src`, `connect-src` | Optional |
| `plausible.io` | Plausible analytics | `script-src`, `connect-src` | Optional |
| `us.posthog.com` | PostHog analytics | `connect-src` | Optional |
| `cdn.getkoala.com` | Koala analytics | `script-src` | Optional |
| `tag.clearbitscripts.com` | Clearbit tracking | `script-src` | Optional |

Check warning on line 41 in guides/csp-configuration.mdx

View check run for this annotation

Mintlify / Mintlify Validation (mintlify) - vale-spellcheck

guides/csp-configuration.mdx#L41 

Did you really mean 'Clearbit'?
| `cdn.heapanalytics.com` | Heap analytics | `script-src` | Optional |
| `chat.cdn-plain.com` | Plain chat widget | `script-src` | Optional |
| `chat-assets.frontapp.com` | Front chat widget | `script-src` | Optional |
| `browser.sentry-cdn.com` | Sentry error tracking | `script-src`, `connect-src` | Optional |
| `js.sentry-cdn.com` | Sentry JavaScript SDK | `script-src` | Optional |

## Example CSP configuration

Expand All @@ -42,12 +54,15 @@
```text wrap
Content-Security-Policy:
default-src 'self';
script-src 'self' 'unsafe-inline' 'unsafe-eval' www.googletagmanager.com cdn.segment.com plausible.io tag.clearbitscripts.com cdn.heapanalytics.com
chat.cdn-plain.com chat-assets.frontapp.com;
style-src 'self' 'unsafe-inline' d4tuoctqmanu0.cloudfront.net;
font-src 'self' d4tuoctqmanu0.cloudfront.net;
img-src 'self' data: blob: d3gk2c5xim1je2.cloudfront.net;
connect-src 'self' *.mintlify.dev www.googletagmanager.com cdn.segment.com plausible.io;
script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.jsdelivr.net www.googletagmanager.com cdn.segment.com plausible.io
us.posthog.com cdn.getkoala.com tag.clearbitscripts.com cdn.heapanalytics.com chat.cdn-plain.com chat-assets.frontapp.com
browser.sentry-cdn.com js.sentry-cdn.com;
style-src 'self' 'unsafe-inline' d4tuoctqmanu0.cloudfront.net fonts.googleapis.com;
font-src 'self' d4tuoctqmanu0.cloudfront.net fonts.googleapis.com;
img-src 'self' data: blob: d3gk2c5xim1je2.cloudfront.net d1ctpt7j8wusba.cloudfront.net mintcdn.com
mintlify-assets.b-cdn.net mintlify.s3-us-west-1.amazonaws.com cdn.jsdelivr.net;
connect-src 'self' *.mintlify.dev *.mintlify.com leaves.mintlify.com d1ctpt7j8wusba.cloudfront.net mintcdn.com
api.mintlifytrieve.com www.googletagmanager.com cdn.segment.com plausible.io us.posthog.com browser.sentry-cdn.com;
frame-src 'self' *.mintlify.dev;
```

Expand All @@ -66,7 +81,7 @@
- **Header name**: `Content-Security-Policy`
- **Header value**:
```text wrap
default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' d4tuoctqmanu0.cloudfront.net; font-src 'self' d4tuoctqmanu0.cloudfront.net; img-src 'self' data: blob: d3gk2c5xim1je2.cloudfront.net; connect-src 'self' *.mintlify.dev; frame-src 'self' *.mintlify.dev;
default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' d4tuoctqmanu0.cloudfront.net fonts.googleapis.com; font-src 'self' d4tuoctqmanu0.cloudfront.net fonts.googleapis.com; img-src 'self' data: blob: d3gk2c5xim1je2.cloudfront.net d1ctpt7j8wusba.cloudfront.net mintcdn.com mintlify-assets.b-cdn.net mintlify.s3-us-west-1.amazonaws.com cdn.jsdelivr.net; connect-src 'self' *.mintlify.dev *.mintlify.com leaves.mintlify.com d1ctpt7j8wusba.cloudfront.net mintcdn.com api.mintlifytrieve.com; frame-src 'self' *.mintlify.dev;
```
4. Deploy your rule.

Expand All @@ -81,7 +96,7 @@
"Config": {
"SecurityHeadersConfig": {
"ContentSecurityPolicy": {
"ContentSecurityPolicy": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' d4tuoctqmanu0.cloudfront.net; font-src 'self' d4tuoctqmanu0.cloudfront.net; img-src 'self' data: blob: d3gk2c5xim1je2.cloudfront.net; connect-src 'self' *.mintlify.dev; frame-src 'self' *.mintlify.dev;",
"ContentSecurityPolicy": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' d4tuoctqmanu0.cloudfront.net fonts.googleapis.com; font-src 'self' d4tuoctqmanu0.cloudfront.net fonts.googleapis.com; img-src 'self' data: blob: d3gk2c5xim1je2.cloudfront.net d1ctpt7j8wusba.cloudfront.net mintcdn.com mintlify-assets.b-cdn.net mintlify.s3-us-west-1.amazonaws.com cdn.jsdelivr.net; connect-src 'self' *.mintlify.dev *.mintlify.com leaves.mintlify.com d1ctpt7j8wusba.cloudfront.net mintcdn.com api.mintlifytrieve.com; frame-src 'self' *.mintlify.dev;",
"Override": true
}
}
Expand All @@ -102,7 +117,7 @@
"headers": [
{
"key": "Content-Security-Policy",
"value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' d4tuoctqmanu0.cloudfront.net; font-src 'self' d4tuoctqmanu0.cloudfront.net; img-src 'self' data: blob: d3gk2c5xim1je2.cloudfront.net; connect-src 'self' *.mintlify.dev; frame-src 'self' *.mintlify.dev;"
"value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' d4tuoctqmanu0.cloudfront.net fonts.googleapis.com; font-src 'self' d4tuoctqmanu0.cloudfront.net fonts.googleapis.com; img-src 'self' data: blob: d3gk2c5xim1je2.cloudfront.net d1ctpt7j8wusba.cloudfront.net mintcdn.com mintlify-assets.b-cdn.net mintlify.s3-us-west-1.amazonaws.com cdn.jsdelivr.net; connect-src 'self' *.mintlify.dev *.mintlify.com leaves.mintlify.com d1ctpt7j8wusba.cloudfront.net mintcdn.com api.mintlifytrieve.com; frame-src 'self' *.mintlify.dev;"
}
]
}
Expand Down