Managing your policy

  Last updated 2025-03-18

A content security policy (policy) controls the resources (e.g., scripts, images, and fonts) that load on an end user’s browser for a Page. A policy only applies to one Page. Maintaining a policy helps guard against cross-site scripting attacks.

IMPORTANT

Policies have an active and draft state and are versionless. When you make a change to a policy, a draft of the policy is created. You must activate the draft policy to push the change to the active policy. Once the draft policy is activated, the active policy will reflect the change and the draft policy is deleted.

Prerequisites

Before creating and managing a policy, you must set up Client-Side Protection by creating at least one website and Page.

Limitations and considerations

When working with policies, keep the following in mind:

  • When an object evaluated by the Next-Gen WAF is cached, the policy attached to the object is also cached. Both the object and policy are served together for as long as the object remains in the cache. If you update the policy, cached objects won't reflect the updated policy until the object is removed from cache and passes through the WAF again.
  • A policy cannot be deleted. To prevent a policy from being added to responses, set the Protection mode setting to Off.

Creating a policy

To create a policy, complete the following steps:

  1. Log in to the Fastly control panel.
  2. Go to Security > Client-Side Protection > Policy.
  3. From the workspaces bar, click the menu Menu icon to the right of the Page name and select a Page.
  4. Click Create policy. A blank policy is created in draft state.
  5. Add values for the directives on the policy, being sure to use fetch directive syntax.
  6. From the Protection mode menu, select Blocking or Logging. The Protection mode setting tells the end user's browser how to handle policy violations.
  7. Click Activate to activate the policy.

Managing directive source values

A policy is made up of directives. Each directive controls one type of resource and has source values. The source values define where that type of resource can be loaded from. For example, the script-src directive controls the allowed sources for JavaScript. Potential values for script-src are as follows:

TIP

This table only covers four syntax options for values. For a complete list, read Mozilla's Fetch directive syntax.

Syntax optionExample valueDescription
nonenoneBlocks all JavaScript resources from loading. If you use this value, the directive can't have any other values.
selfselfAllows loading of JavaScript resources from the same origin. For example, let's say the end user makes a request to https://example.com. The browser would load https://example.com/foo.js because the resource has the same origin. However, it would prevent https://example.org/foo.js from loading because it has a different origin.
<host-source>https://*.example.comAllows loading of JavaScript resources from subdomains of example.com.
nonce-<nonce_value>nonce-1234-abcd-5678-efghAllows loading of JavaScript resources that have a tag with the matching nonce: <script nonce="1234-abcd-5678-efgh"/>. A nonce is a random string that your web server creates for a webpage.

Adding directive source values

To add a directive source value, complete the following steps:

  1. Log in to the Fastly control panel.
  2. Go to Security > Client-Side Protection > Policy.
  3. From the workspaces bar, click the menu Menu icon to the right of the Page name and select a Page.
  4. Find the appropriate directive and click Add value.
  5. In the Directive source field, enter the source that you want to allowlist. Be sure to use fetch directive syntax.
  6. Click Add source. A draft of the policy is created and the value is added to the directive.
  7. Click Activate to activate the policy.

Editing directive source values

To edit a directive source value, complete the following steps:

  1. Log in to the Fastly control panel.
  2. Go to Security > Client-Side Protection > Policy.
  3. From the workspaces bar, click the menu Menu icon to the right of the Page name and select a Page.
  4. Click the pencil Pencil icon to the right of the directive value that you want to edit.
  5. In the Directive source field, update the source that you want to allowlist. Be sure to use fetch directive syntax.
  6. Click Update value. A draft of the policy is created and the value is updated.
  7. Click Activate to activate the policy.

Deleting directive source values

To delete a directive source value, complete the following steps:

  1. Log in to the Fastly control panel.
  2. Go to Security > Client-Side Protection > Policy.
  3. From the workspaces bar, click the menu Menu icon to the right of the Page name and select a Page.
  4. Click the trash Trash icon to the right of the directive value that you want to delete.
  5. Click Remove value. A draft of the policy is created and the value is removed from the directive.
  6. Click Activate to activate the policy.

Changing the protection mode

Protection mode is a policy setting that tells the end user's browser how to handle policy violations (i.e., block or log the resource). To change the protection mode, complete the following steps:

  1. Log in to the Fastly control panel.
  2. Go to Security > Client-Side Protection > Policy.

  3. From the workspaces bar, click the menu Menu icon to the right of the Page name and select a Page.

  4. From the Protection mode menu, select one of the following options:

    • Blocking: the end user's browser blocks resources that violate the policy from loading and sends a policy violation report to Fastly.
    • Logging: the end user's browser allows resources that violate the policy to load and sends a policy violation report to Fastly.
    • Off: the policy is disabled and not sent to the end user's browser.

    A draft of the policy is created.

  5. Click Activate to activate the policy.

Monitoring policy violation reports

You can view policy violation reports from the Reports page in the Fastly control panel. If you want to update your policy based on a report, make a note of the relevant effective directive and blocked URI, go to the Policy page, and add a new value for the effective directive.

Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Fastly
© Fastly 2025