Configuring Your Content Security Policy (CSP) for Integrating TRUENDO CMP

Introduction#

When integrating the TRUENDO Consent Management Platform (CMP) into your website, you may encounter issues due to your site's Content Security Policy (CSP) blocking TRUENDO's scripts and resources. CSP is a security feature that helps prevent Cross-Site Scripting (XSS), data injection attacks, and other code execution vulnerabilities by restricting the sources from which content can be loaded.

To ensure that TRUENDO CMP functions correctly on your site, you need to adjust your CSP to allow TRUENDO's scripts and resources to load. This guide will walk you through the steps required to modify your CSP to accommodate TRUENDO CMP.

1. Understanding Content Security Policy (CSP)#

Content Security Policy (CSP) is a security standard introduced to prevent various types of attacks, such as Cross-Site Scripting (XSS) and data injection attacks. CSP allows you to specify valid sources for content that the browser should load on your website.

CSP is implemented via the Content-Security-Policy HTTP header or via a <meta> tag in your HTML. It consists of directives that define allowed content sources for various types of resources, such as scripts, styles, images, and more.

Common CSP Directives:

script-src: Defines valid sources for JavaScript.
style-src: Defines valid sources for CSS styles.
connect-src: Defines valid endpoints for AJAX, WebSocket, and EventSource connections.
img-src: Defines valid sources for images.
font-src: Defines valid sources for fonts.
frame-src: Defines valid sources for embedded frames.

2. Why Adjust CSP for TRUENDO CMP#

When you integrate TRUENDO CMP into your website, it requires loading scripts and resources from TRUENDO's servers. If your CSP does not include these sources, the browser will block the loading of TRUENDO CMP scripts, causing the consent management functionality to fail.

By adjusting your CSP to allow TRUENDO's resources, you ensure that:

TRUENDO CMP Scripts Load Successfully: The consent banner and privacy center display correctly.
User Interactions are Processed: Consent preferences are saved and respected.
Communication with TRUENDO Servers: Necessary data exchanges (e.g., consent logs) are allowed.

3. Identifying TRUENDO CMP Resources#

To adjust your CSP appropriately, you need to know which domains TRUENDO CMP uses. The following are the required URLs that need to be allowed in your CSP settings:

All TRUENDO Subdomains:
- https://*.truendo.com
- https://*.priv.center

These URLs are used for TRUENDO's scripts, images, styles, fonts, and frames.

4. Adjusting Your CSP#

A. Access Your CSP Settings

Depending on your Content Management System (CMS) or server configuration, locate the section where you can modify or add your CSP settings:

Web Server Configuration: Check your server files (e.g., Apache's .htaccess, Nginx's configuration files).
CMS Settings: Some CMS platforms have security plugins or settings where CSP can be configured.
Meta Tags in HTML: If CSP is set using a <meta> tag in your HTML files.

B. Update CSP Directives

Add the following directives to your CSP configuration to allow TRUENDO to load its resources properly:


script-src 'self' https://.truendo.com https://.priv.center;
style-src 'self' https://.truendo.com https://.priv.center;
img-src 'self' https://.truendo.com https://.priv.center;
font-src 'self' https://.truendo.com https://.priv.center;
frame-src 'self' https://.truendo.com https://.priv.center;
connect-src 'self' https://.truendo.com https://.priv.center;

Explanation:

script-src: Allows scripts from TRUENDO's domains.
style-src: Permits stylesheets from TRUENDO.
img-src: Enables images from TRUENDO.
font-src: Allows fonts from TRUENDO.
frame-src: Permits frames from TRUENDO.
connect-src: Allows AJAX and WebSocket connections to TRUENDO.

C. Save and Test

Save Your Changes: After updating the CSP directives, save the configuration file or settings.
Restart Server (if necessary): Some server configurations require a restart to apply changes.
Test Your Website: Visit your website to ensure that TRUENDO is functioning correctly and that no resources are being blocked.

5. Example CSP Adjustments#

Original CSP Example

Suppose your current CSP is:


Content-Security-Policy: default-src 'self';

Adjusted CSP Including TRUENDO CMP


Content-Security-Policy:
  default-src 'self';
  script-src 'self' https://.truendo.com https://.priv.center;
  style-src 'self' https://.truendo.com https://.priv.center;
  img-src 'self' https://.truendo.com https://.priv.center;
  font-src 'self' https://.truendo.com https://.priv.center;
  frame-src 'self' https://.truendo.com https://.priv.center;
  connect-src 'self' https://.truendo.com https://.priv.center;

Explanation:

Included TRUENDO Domains: Added https://*.truendo.com and https://*.priv.center to each relevant directive.
Maintained 'self': Kept 'self' to allow resources from your own domain.

CSP Meta Tag Example

If you're using a CSP meta tag in your HTML:


<meta http-equiv="Content-Security-Policy" content="
  default-src 'self';
  script-src 'self' https://.truendo.com https://.priv.center;
  style-src 'self' https://.truendo.com https://.priv.center;
  img-src 'self' https://.truendo.com https://.priv.center;
  font-src 'self' https://.truendo.com https://.priv.center;
  frame-src 'self' https://.truendo.com https://.priv.center;
  connect-src 'self' https://.truendo.com https://.priv.center;
">

6. Testing Your CSP Configuration#

After adjusting your CSP, it's crucial to test to ensure both TRUENDO CMP functions correctly and your site's security remains intact.

Steps:

Clear Browser Cache and Cookies:
- This ensures you're testing the latest changes.
Access Your Website:
- Load your site in different browsers to test compatibility.
Verify TRUENDO CMP Functionality:
- Check that the consent banner appears and operates as expected.
- Interact with the banner to ensure consent choices are saved.
Check for CSP Violations:
- Open the browser's developer console.
- Look for any CSP-related errors or warnings.
Inspect Network Requests:
- Use the network tab to confirm that resources from TRUENDO's domains are being loaded.
Security Validation:
- Ensure that no unintended resources are now permitted due to CSP changes.

7. Additional Information#

Why Include These URLs in Your CSP

By including these URLs in your CSP settings, you ensure that all TRUENDO resources—including scripts, images, styles, fonts, and frames—are loaded without issues. This allows the consent management platform to operate smoothly on your website.

Avoid Overly Permissive Directives

Do Not Use Wildcards Indiscriminately:
- While * allows all domains, it is not recommended due to security risks.
Be Specific:
- Only include the necessary domains to minimize potential vulnerabilities.

Considerations for Inline Scripts and Styles

Avoid 'unsafe-inline':
- Including 'unsafe-inline' in your CSP weakens security. Use nonces or hashes if inline scripts or styles are necessary.

Using Nonces or Hashes

Nonces and Hashes:
- If TRUENDO CMP requires inline scripts or styles, consider using CSP nonces or hashes to allow them securely.

Regular CSP Audits

Periodic Reviews:
- Regularly review your CSP settings to ensure they align with the current security best practices and that no unnecessary domains are allowed.

8. Conclusion#

Adjusting your CSP to include TRUENDO CMP's required resources is essential for the proper functioning of the consent management system on your website. By carefully updating your CSP directives, you maintain a secure environment while ensuring compliance with privacy regulations.

9. Support and Resources#

TRUENDO Support:
- Website: https://www.truendo.com/
- Email: support@truendo.com
CSP Reference:
- MDN Web Docs - CSP: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

End of Guide

If you have any further questions or require assistance with specific configurations, please don't hesitate to reach out to TRUENDO support or consult the resources provided.

This guide incorporates the information you provided about configuring CSP to work with TRUENDO, including the required URLs and specific CSP directives.

Start typing to search, or search using the advanced options below.

Sources: