Content Security Policy

If your application sets a Content-Security-Policy header, you must add ShieldLabs to the allowlists.

Required directives

script-src  'self' https://shieldlabs.ai https://cdn.shieldlabs.ai https://cdn.jsdelivr.net;
connect-src 'self' blob: *.shieldlabs.ai wss://*.shieldlabs.ai https://cdn.jsdelivr.net;
img-src     'self' data: https://rest.shieldlabs.ai;

Directive	Required for
`script-src https://cdn.shieldlabs.ai`	Loading the JS snippet
`script-src https://cdn.jsdelivr.net`	MixVisit fingerprint library (`@mix-visit/lite`)
`connect-src *.shieldlabs.ai`	REST API, WebRTC, and ICE connections
`connect-src https://cdn.jsdelivr.net`	MixVisit module fetch
`connect-src wss://*.shieldlabs.ai`	WebSocket connections for WebRTC
`connect-src blob:`	WebRTC STUN/ICE (required for network fingerprinting)
`img-src https://rest.shieldlabs.ai`	noscript beacon (optional, see below)

Nginx example

add_header Content-Security-Policy "
  default-src 'self';
  script-src  'self' https://shieldlabs.ai https://cdn.shieldlabs.ai https://cdn.jsdelivr.net;
  connect-src 'self' blob: *.shieldlabs.ai wss://*.shieldlabs.ai https://cdn.jsdelivr.net;
  img-src     'self' data: https://rest.shieldlabs.ai;
  style-src   'self' 'unsafe-inline';
  font-src    'self';
  base-uri    'self';
  frame-ancestors 'none'
" always;

Next.js example

// next.config.js
const ContentSecurityPolicy = `
  default-src 'self';
  script-src  'self' https://shieldlabs.ai https://cdn.shieldlabs.ai https://cdn.jsdelivr.net;
  connect-src 'self' blob: *.shieldlabs.ai wss://*.shieldlabs.ai https://cdn.jsdelivr.net;
  img-src     'self' data: https://rest.shieldlabs.ai;
`;

module.exports = {
  async headers() {
    return [
      {
        source: '/(.*)',
        headers: [
          {
            key: 'Content-Security-Policy',
            value: ContentSecurityPolicy.replace(/\n/g, ''),
          },
        ],
      },
    ];
  },
};

noscript beacon

The noscript beacon requires img-src https://rest.shieldlabs.ai. See Advanced SDK for details.

What the SDK connects to

Host	Purpose
`cdn.shieldlabs.ai`	Snippet CDN
`cdn.jsdelivr.net`	MixVisit fingerprint library
`rest.shieldlabs.ai`	REST fingerprint endpoint
`webrtc.shieldlabs.ai`	WebRTC ICE session
`ice.shieldlabs.ai:3478`	STUN (UDP)

​Content Security Policy

​Required directives

​Nginx example

​Next.js example

​noscript beacon

​What the SDK connects to

Content Security Policy

Required directives

Nginx example

Next.js example

noscript beacon

What the SDK connects to