Skip to main content

Docebo Help

How can we help?

Configure the platform’s Content Security Policy (CSP)

Last updated
Docebo module
Reading time
User level
  • Administrators

Sandbox release disclaimer: Some content in this article outlines how to use functionalities that will be publicly released to all clients at the end of January 2026. If you see differences between this article and your platform, contact your Docebo representative for how to obtain it. Learn more about the release cycle.

Introduction 

To strengthen your platform’s security, you can enable Content Security Policy (CSP) headers.

CSP helps prevent malicious scripts from running by controlling which sources are allowed to load and execute JavaScript within your environment.

This feature is optional and must be enabled manually in your settings. We strongly recommend enabling it to improve the overall security of your platform.

Enable CSP headers

To enable and configure CSP headers:

  1. Go to Admin menu > SETTINGS > Advanced settings.
  2. In the left navigation pane, select Advanced Options.
  3. Scroll down to the Security related section and locate CSP headers.
  4. Select the check box Block external JavaScript sources except for sites on the allow list.
  5. Under External JavaScript sources allow list, enter the URLs of trusted domains that are allowed to load JavaScript.
    • You can add up to 5 URLs
    • Wildcards are supported (e.g. https://*.force.com)
  6. Click Save to apply your changes.

How CSP headers work

External scripts

Scripts loaded from external sources (such as CDNs) will only run if their domain is included in your allow list.

Any scripts from unlisted sources will be blocked automatically.

Inline scripts

Inline scripts (JavaScript written directly within HTML) will continue to work using a security nonce—a unique, one-time-use token added to your page automatically. This ensures inline scripts are trusted and can execute safely.

Please note: If an inline script dynamically loads additional scripts, those scripts must either:
- Be loaded from a domain on the allow list 
- Inherit the same security nonce (see the chapter  propagate the security nonce)

Propagate the security nonce

If your inline script creates new <script> elements dynamically, you’ll need to update your code to propagate the nonce. Below is an example of how to modify your script to support this.

Original script:

const script = document.createElement('script');
script.setAttribute('src','SOME_SCRIPT_URL');
document.querySelector('head').appendChild(script);

Updated script with nonce support:

const script = document.createElement('script');
script.setAttribute('src','SOME_SCRIPT_URL');
if (document.currentScript.nonce) {
  script.setAttribute('nonce', document.currentScript.nonce);
}
document.querySelector('head').appendChild(script);

This ensures the dynamically loaded script is also trusted and permitted to execute under your CSP configuration.