Content Security Policy
The Content Security Policy (CSP) is a security standard introduced to prevent various attacks, including Cross-Site Scripting (XSS) and data injection attacks. It allows web developers to specify the domains the browser should consider valid sources of executable scripts for a given webpage.
By doing this, CSP can effectively reduce the risk of XSS attacks by specifying which sources are trusted, preventing browsers from executing scripts not approved as part of the policy.
If you choose to utilize CSP with Descope Flows, below is an example of a valid CSP configuration, including the necessary references to static.descope.com
.
If you're using Descope with a private tenant, then you will need to request a specific CSP policy from Descope support directly.
Customers without Custom Domain
Customers with Custom Domain
In this example, the CNAME record is configured to be auth.example.com
, with the App URL being https://example.com
.
Your CSP will need to include these references in order to effectively use flows without browser errors.