If you're not sure which version of the Members Portal you're using, head over to Settings > Website on the Admin Panel or check out Finding your Members Portal Version for more details.
Content-Security-Policy headers let you to restrict which resources and content can be loaded on your Members Portal as well as the URLs that they can be loaded from.
Sources can include things such as code snippets, images, or embedded content. For more details on the sources, head down to Directive sources explained.
You only need one directive per source you'd like to specify.
For example, if you often embed YouTube videos and Spotify playlists in your blog posts or discussion boards, you don't need two frame-src. You only need to create one frame-src directive as per below.
https://spotify.com https://www.youtube.com;
-
Log in to dashboard.nexudus.com if you aren't already.
-
Click on Settings > Security options.
-
Click on the dropdown menu under Member Portal CSP Header and select a directive source.
-
Click on Add directive.
-
Specify the sources you want to allow under the source.
- Separate each source you add with a simple space
- Close your list of sources using a semi colon (;)
Examples
✅ 'self'; to only support sources that come from your Nexudus account
✅ 'self' https://website.com; to support sources that come from your Nexudus account and from website.com
Click the Save Changes button.
Repeat the process for every other directive you'd like to add to your CSP header.
Directive sources explained
You can add any number of CSP header directives to your Members Portal to expand the content and sources you use to build and customize it. Each directive must have one of the following sources:
default-src
Fallback directive for all unspecified types of resource.
For example a default-src directive set to 'self' would only load content originating from your Members Portal. This option is not ideal if you rely on third party hosts and platforms.
script-src
Directive that controls where JavaScript can be loaded from.
For example a script-src directive set to 'self' https://cdn.jsdelivr.net; will only allow JS being loaded from your own domain and jsDelivr.
frame-src
Directive that controls which websites can be embedded on your Members Portal via <iframe>.
For example, a frame-src directive set to https://spotify.com https://www.youtube.com;
will only allow iframes coming from YouTube and Spotify.
img-src
Directive that controls which sources are allowed for images.
*For example, an img-src directive set to 'self' https://getty.com;
will only allow images hosted in Nexudus and Getty.
style-src
Directive that controls where CSS can be loaded from.
For example, a style-src set to 'self'; will allow local CSS and inline styles.
connect-src
Directive that controls AJAX, WebSocket, and fetch connections.
For example, a connect-src directive set to 'self' https://api.example.com; will allow API calls to your domain and api.example.com.
font-src
Directive that whitelists font file sources.
For example, a font-src set to 'self' https://fonts.googleapis.com; will only allow fonts you add via the web template editor in Nexudus and Google fonts.
object-src
Directive that controls the usage of <object>, <embed>, and <applet> elements.
For example, an object-src directive set to 'none'; will block them entirely on your Members Portal.
media-src
Directive that controls the sources allowed for audio and video files.
For example, a media-src directive set to https://media.example.com; will only load media coming from and hosted by media.example.com.
form-action
Directive that restricts where forms can submit data to.
For example, a form-action directive set to 'self';will only allow forms you create within Nexudus.