Content Security Policy (CSP) is a security standard that helps prevent cross-site scripting (XSS) attacks by controlling which resources a web page can load. Mintlify serves a default CSP that protects most sites. If you host your documentation behind a reverse proxy or firewall, that overwrites the default CSP, you may need to configure CSP headers for features to function properly.

CSP directives

The following CSP directives are used to control which resources can be loaded:
  • script-src: Controls which scripts can be executed
  • style-src: Controls which stylesheets can be loaded
  • font-src: Controls which fonts can be loaded
  • img-src: Controls which images, icons, and logos can be loaded
  • connect-src: Controls which URLs can be connected to for API calls and WebSocket connections
  • frame-src: Controls which URLs can be embedded in frames or iframes
  • default-src: Fallback for other directives when not explicitly set

Domain whitelist

DomainPurposeCSP directiveRequired
d4tuoctqmanu0.cloudfront.netKaTeX CSS, fontsstyle-src, font-srcRequired
*.mintlify.devDocumentation contentconnect-src, frame-srcRequired
*.mintlify.comDashboard, API, analytics proxyconnect-srcRequired
leaves.mintlify.comAssistant APIconnect-srcRequired
d3gk2c5xim1je2.cloudfront.netIcons, images, logosimg-srcRequired
d1ctpt7j8wusba.cloudfront.netMint version and release filesconnect-srcRequired
mintcdn.comImages, faviconsimg-src, connect-srcRequired
*.mintcdn.comImages, faviconsimg-src, connect-srcRequired
api.mintlifytrieve.comSearch APIconnect-srcRequired
cdn.jsdelivr.netEmoji assets for OG imagesscript-src, img-srcRequired
fonts.googleapis.comGoogle Fontsstyle-src, font-srcOptional
www.googletagmanager.comGoogle Analytics/GTMscript-src, connect-srcOptional
cdn.segment.comSegment analyticsscript-src, connect-srcOptional
plausible.ioPlausible analyticsscript-src, connect-srcOptional
us.posthog.comPostHog analyticsconnect-srcOptional
cdn.getkoala.comKoala analyticsscript-srcOptional
tag.clearbitscripts.comClearbit trackingscript-srcOptional
cdn.heapanalytics.comHeap analyticsscript-srcOptional
chat.cdn-plain.comPlain chat widgetscript-srcOptional
chat-assets.frontapp.comFront chat widgetscript-srcOptional
browser.sentry-cdn.comSentry error trackingscript-src, connect-srcOptional
js.sentry-cdn.comSentry JavaScript SDKscript-srcOptional

Example CSP configuration

Only include domains for services that you use. Remove any analytics domains that you have not configured for your documentation.
Content-Security-Policy:
default-src 'self';
script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.jsdelivr.net www.googletagmanager.com cdn.segment.com plausible.io
us.posthog.com cdn.getkoala.com tag.clearbitscripts.com cdn.heapanalytics.com chat.cdn-plain.com chat-assets.frontapp.com
browser.sentry-cdn.com js.sentry-cdn.com;
style-src 'self' 'unsafe-inline' d4tuoctqmanu0.cloudfront.net fonts.googleapis.com;
font-src 'self' d4tuoctqmanu0.cloudfront.net fonts.googleapis.com;
img-src 'self' data: blob: d3gk2c5xim1je2.cloudfront.net mintcdn.com *.mintcdn.com cdn.jsdelivr.net;
connect-src 'self' *.mintlify.dev *.mintlify.com d1ctpt7j8wusba.cloudfront.net mintcdn.com *.mintcdn.com
api.mintlifytrieve.com www.googletagmanager.com cdn.segment.com plausible.io us.posthog.com browser.sentry-cdn.com;
frame-src 'self' *.mintlify.dev;

Common configurations by proxy type

Most reverse proxies support adding custom headers.

Cloudflare configuration

Create a Response Header Transform Rule:
  1. In your Cloudflare dashboard, go to Rules > Overview.
  2. Select Create rule > Response Header Transform Rule.
  3. Configure the rule:
  • Modify response header: Set static
  • Header name: Content-Security-Policy
  • Header value: 
    default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' d4tuoctqmanu0.cloudfront.net fonts.googleapis.com; font-src 'self' d4tuoctqmanu0.cloudfront.net fonts.googleapis.com; img-src 'self' data: blob: d3gk2c5xim1je2.cloudfront.net mintcdn.com *.mintcdn.com cdn.jsdelivr.net; connect-src 'self' *.mintlify.dev *.mintlify.com d1ctpt7j8wusba.cloudfront.net mintcdn.com *.mintcdn.com api.mintlifytrieve.com; frame-src 'self' *.mintlify.dev;
  1. Deploy your rule.

AWS CloudFront configuration

Add a response headers policy in CloudFront: 
{
"ResponseHeadersPolicy": {
    "Name": "MintlifyCSP",
    "Config": {
    "SecurityHeadersConfig": {
        "ContentSecurityPolicy": {
        "ContentSecurityPolicy": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' d4tuoctqmanu0.cloudfront.net fonts.googleapis.com; font-src 'self' d4tuoctqmanu0.cloudfront.net fonts.googleapis.com; img-src 'self' data: blob: d3gk2c5xim1je2.cloudfront.net mintcdn.com *.mintcdn.com cdn.jsdelivr.net; connect-src 'self' *.mintlify.dev *.mintlify.com d1ctpt7j8wusba.cloudfront.net mintcdn.com *.mintcdn.com api.mintlifytrieve.com; frame-src 'self' *.mintlify.dev;",
        "Override": true
        }
      }
    }
  }
}

Vercel configuration

Add to your vercel.json: 
{
"headers": [
    {
    "source": "/(.*)",
    "headers": [
        {
        "key": "Content-Security-Policy",
        "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' d4tuoctqmanu0.cloudfront.net fonts.googleapis.com; font-src 'self' d4tuoctqmanu0.cloudfront.net fonts.googleapis.com; img-src 'self' data: blob: d3gk2c5xim1je2.cloudfront.net mintcdn.com *.mintcdn.com cdn.jsdelivr.net; connect-src 'self' *.mintlify.dev *.mintlify.com d1ctpt7j8wusba.cloudfront.net mintcdn.com *.mintcdn.com api.mintlifytrieve.com; frame-src 'self' *.mintlify.dev;"
        }
      ]
    }
  ]
}

Troubleshooting

Identify CSP violations in your browser console:
  1. Open your browser’s Developer Tools.
  2. Go to the Console tab.
  3. Look for errors starting with:
    • Content Security Policy: The page's settings blocked the loading of a resource
    • Refused to load the script/stylesheet because it violates the following Content Security Policy directive
    • Refused to connect to because it violates the following Content Security Policy directive