Skip to content

Commit 5025fcb

Browse files
bkrembkrem
committed
chore: adds page for Content Security Policy guidance
1 parent b795682 commit 5025fcb

File tree

1 file changed

+37
-0
lines changed

1 file changed

+37
-0
lines changed

docs/advanced/security/content-security-policy.md

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
# Content Security Policy (CSP)
2+
3+
## Overview
4+
5+
A Content Security Policy (CSP) is a security feature that helps protect web applications from various attacks like Cross-Site Scripting (XSS), clickjacking, and data injection. By specifying allowed content sources, CSPs minimize the risk of executing malicious content on your site.
6+
7+
## CSP Guidance
8+
9+
The following is a **partial CSP** that covers WalletConnect's libraries and services. Note that **you may need to define additional sources based on your application's requirements**.
10+
11+
```
12+
default-src 'self';
13+
script-src 'self';
14+
style-src https://fonts.googleapis.com;
15+
img-src 'self' data: blob: https://walletconnect.org https://walletconnect.com https://secure.walletconnect.com https://secure.walletconnect.org https://tokens-data.1inch.io https://tokens.1inch.io https://ipfs.io;
16+
font-src 'self' https://fonts.gstatic.com;
17+
connect-src 'self' https://rpc.walletconnect.com https://rpc.walletconnect.org https://explorer.walletconnect.com https://explorer.walletconnect.org https://relay.walletconnect.com https://relay.walletconnect.org wss://relay.walletconnect.com wss://relay.walletconnect.org https://pulse.walletconnect.com https://pulse.walletconnect.org https://api.web3modal.com https://api.web3modal.org wss://www.walletlink.org;
18+
frame-src 'self' https://verify.walletconnect.com https://verify.walletconnect.org https://secure.walletconnect.com https://secure.walletconnect.org;
19+
```
20+
21+
## Testing and Deploying Your CSP
22+
23+
### Test Your CSP in a Staging Environment
24+
25+
Run through your standard user flows in a staging environment with CSP enforcement. This may include connecting to browser extension wallets, transacting, logging out, etc. Directives may need updates after SDK upgrades. Always test your CSP again before deploying updates to production.
26+
27+
### Using Report-Only Mode
28+
29+
Use the `Content-Security-Policy-Report-Only` header, which sends violation reports without enforcing policies. This helps assess the impact of CSP changes without affecting functionality.
30+
31+
### Deployment
32+
33+
First deploy your CSP in `report-only` mode. After validation, migrate to `Content-Security-Policy` for enforcement.
34+
35+
### Monitoring
36+
37+
Configure `report-uri` to receive violation reports and set up a monitoring dashboard for review.

0 commit comments

Comments
 (0)