We received a penetration testing result from a customer that our Content Security Policy (CSP) is insecure because we use ‘unsafe-inline’ and ‘unsafe-eval’ without nonces. We have this due to the requirement from Heap https://developers.heap.io/docs/web#content-security-policy-csp, but I’d like to know why? Is there anyway to get Heap to work without these source list values?
Login to the community
Please login with HeapLogin with Heap
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.