Get started

Content Security Policy

If your site runs a Content Security Policy, it needs to allow two things: the f.js script itself, and the small inline Consent Mode stub that sits above it. This page gives you the exact directives.

script-src

Allow the f.js origin, plus the inline stub:

script-src https://js.consentfolio.com 'sha256-90d2cWv7SmSBSqOD6oiHSjmqTVyzpiAoNORDOBOIMlY=';
  • https://js.consentfolio.com lets the browser load f.js.
  • The inline stub (the small <script> block that sets Consent Mode defaults — see install.md) needs its own allowance, because it's inline. You have two options:
  • 'unsafe-inline' — works, but weakens your policy for every inline script on the page, not just this one.
  • A SHA-256 hash of the stub (recommended). The stub is byte-identical for every Consentfolio customer — it never contains your public key or any project-specific value — so its hash is stable across the whole customer base and only changes when we ship a new version of the stub. Compute the hash yourself from the exact bytes of the stub as it appears on your page (including whitespace — a single character difference produces a different hash), or use the current hash we publish alongside each release. The published hash is the authoritative source; if your computed value disagrees with it, re-check for whitespace or copy/paste differences before assuming ours is wrong.

Example with a hash in place:

Content-Security-Policy: script-src https://js.consentfolio.com 'sha256-90d2cWv7SmSBSqOD6oiHSjmqTVyzpiAoNORDOBOIMlY=';

connect-src

f.js makes two kinds of requests to js.consentfolio.com: fetching the published config (GET /api/v1/config/<public_key>) and sending consent receipts (POST /api/v1/consent). Both need to be allowed:

connect-src https://js.consentfolio.com;

style-src

No special allowance is needed for styles. f.js renders inside a Shadow DOM and applies its styling via adoptedStyleSheets (with a <style>-in-shadow fallback), so it never needs style-src 'unsafe-inline' or an external stylesheet host.

Putting it together

A minimal policy addition looks like:

Content-Security-Policy:
  script-src 'self' https://js.consentfolio.com 'sha256-90d2cWv7SmSBSqOD6oiHSjmqTVyzpiAoNORDOBOIMlY=';
  connect-src 'self' https://js.consentfolio.com;

Merge these directives into your existing policy rather than replacing it — most sites already have script-src/connect-src entries for other tools (GTM, your analytics, etc.) that need to stay in place.

Questions? consentfolio.com · This page is documentation, not legal advice.