Skip to main content

Content Security Policy

If your application sets a Content-Security-Policy header, you must add ShieldLabs to the allowlists.

Required directives

script-src  'self' https://shieldlabs.ai https://cdn.shieldlabs.ai;
connect-src 'self' blob: *.shieldlabs.ai wss://*.shieldlabs.ai;
img-src     'self' data: https://rest.shieldlabs.ai;
DirectiveRequired for
script-src https://cdn.shieldlabs.aiLoading the JS snippet
connect-src *.shieldlabs.aiREST API calls and WebRTC data channel
connect-src wss://*.shieldlabs.aiWebSocket connections for real-time checks
connect-src blob:WebRTC STUN/ICE (required for network fingerprinting)
img-src https://rest.shieldlabs.ainoscript beacon (optional, see below)

Nginx example

add_header Content-Security-Policy "
  default-src 'self';
  script-src  'self' https://shieldlabs.ai https://cdn.shieldlabs.ai;
  connect-src 'self' blob: *.shieldlabs.ai wss://*.shieldlabs.ai;
  img-src     'self' data: https://rest.shieldlabs.ai;
  style-src   'self' 'unsafe-inline';
  font-src    'self';
  base-uri    'self';
  frame-ancestors 'none'
" always;

Next.js example

// next.config.js
const ContentSecurityPolicy = `
  default-src 'self';
  script-src  'self' https://shieldlabs.ai https://cdn.shieldlabs.ai;
  connect-src 'self' blob: *.shieldlabs.ai wss://*.shieldlabs.ai;
  img-src     'self' data: https://rest.shieldlabs.ai;
`;

module.exports = {
  async headers() {
    return [
      {
        source: '/(.*)',
        headers: [
          {
            key: 'Content-Security-Policy',
            value: ContentSecurityPolicy.replace(/\n/g, ''),
          },
        ],
      },
    ];
  },
};

noscript beacon

The noscript beacon requires img-src https://rest.shieldlabs.ai. See Advanced SDK for details.

What the SDK connects to

HostPurpose
cdn.shieldlabs.aiSnippet CDN
rest.shieldlabs.aiREST fingerprint endpoint
api.shieldlabs.aiDashboard API
wss://*.shieldlabs.aiWebRTC/WebSocket channel