This article provides details on configuring the content security policy (CSP) for Freshdesk portal layout customization. CSP is a security layer that protects your Freshdesk portal from attacks.
To configure CSP:
Log in to Freshdesk as admin.
If you have a Classic and Mint Theme (portal v1), go to Admin > Portals >Customize portals and select Layout & pages.
Under Head, enter the content security policy syntax.
<meta http-equiv="Content-Security-Policy" content="script-src example1.scriptsource.com example2.scriptsource.com; style-src example1.stylesource.com example2.stylesource.com; frame-src example1.framesource.com example2.framesource.com; connect-src example1.connectsrc.com example2.connectsrc.com" />
Note:For portal Classic and Mint Theme, add 'unsafe-eval' in script & style source.
Example: <meta http-equiv="Content-Security-Policy" content="style-src *.freshdesk.com *.freshworks.com https://fonts.googleapis.com/css https://*.freshchat.com/ 'unsafe-inline' example1.stylesource.com example2.stylesource.com; connect-src https://*.freshdesk.com https://*.freshworks.com https://www.google-analytics.com/ example1.connectsrc.com" />
If you have a Marina theme (portal v2), go to Admin > Portals > Customize and select Edit theme.
Click on the Pages tab.
Under Head, enter the content security policy syntax.
<meta http-equiv="Content-Security-Policy" content="script-src example1.scriptsource.com example2.scriptsource.com; style-src example1.stylesource.com example2.stylesource.com; frame-src example1.framesource.com example2.framesource.com; connect-src example1.connectsrc.com example2.connectsrc.com" />- After making the changes, Save and Publish.
You can check if the CSP layer is reflected in your portal by checking the sources. To find the sources on the portal, right-click anywhere on the portal and select Inspect > Select Elements tab.
List of default sources:
Along with default sources, add the sources based on your customizations to avoid disruptions in the flow.
Script source: "*.freshdesk.com *.freshworks.com https://s3.amazonaws.com/assets.freshdesk.com/ https://s3.amazonaws.com/cdn.freshdesk.com
https://www.google.com/recaptcha/api.js https://www.recaptcha.net/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.google.com/recaptcha/enterprise.js
https://www.google-analytics.com/analytics.js https://static.freshdev.io/fdk/2.0/assets/fresh_parent.js https://s3.amazonaws.com/assets.freshdesk.com/widget/freshwidget.js https://www.dropbox.com/static/api/1/dropbox.js https://www.dropbox.com/static/api/2/dropins.js https://cdn.freshbots.ai/assets/share/js/freshbots.min.js
https://cdn.euc-freshbots.ai/assets/share/js/freshbots.min.js https://cdn.in-freshbots.ai/assets/share/js/freshbots.min.js https://cdn.au-freshbots.ai/assets/share/js/freshbots.min.js
https://*.freshchat.com/ 'unsafe-inline'"
font source: "*.freshdesk.com *.freshworks.com https://fonts.googleapis.com/css https://fonts.gstatic.com/ data:"
style source: "*.freshdesk.com *.freshworks.com https://fonts.googleapis.com/css https://*.freshchat.com/ 'unsafe-inline'"
connect source: "https://*.freshdesk.com https://*.freshworks.com https://www.google-analytics.com/"
frame source: "https:"
image source: "https: data: blob:"
Note: For accounts with cname domains, add the domain name in all the source tags. Ex: image source: "https: data: blob: https://cname.com/ "