HTTP response headers

In order to improve the security of your knowledge base, you can enable some additional HTTP response headers and/or Content Security Policies that will be returned by our servers that give additional instructions to the reader's browser. The effects of these headers vary and should only be enabled by someone with a clear understanding of what they do.

You can find these settings under Settings > Security in the HTTP Response Headers section. Below we'll provide a brief high level description of what each of these headers is used for.

HTTP Response Header Options

HTTP Strict Transport Security (HSTS)

The HTTP Strict Transport Security header informs the browser that it should never load a site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead. See MDN Web Docs for more info.

X-XSS-Protection: 1

Enables XSS filtering (usually the default in browsers). If a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts). See MDN Web Docs for more info.

X-Content-Type-Options: nosniff

The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. This is a way to opt out of MIME type sniffing, or, in other words, to say that the MIME types are deliberately configured. See MDN Web Docs for more info.

X-Frame-Options: SAMEORIGIN/DENY

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in an <iframe>, <embed>, or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites. See MDN Web Docs for more info.

Content Security Policy

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware. If you're pulling external resources, the CSP determines which domains are allowed to do certain things, such as run scripts, load resources, and so on. See MDN Web Docs for more info.

You can include domains with and without the scheme (such as https:, wss:, etc.), 'unsafe-eval', and domains with wildcards (*) for any of the CSP directives here.

To enable CSP:

We recommend that you:

1. First, review the individual directives below and add appropriate domains/settings to individual CSP directives (such as default-src, script-src, etc.). See the sections below for more information on each directive.
2. Once you've reviewed all directives and added appropriate domains and resources, check the box to Enable content security policy header.
3. You'll be presented with a pop-up confirming you're ready to enable. You must select Enable to proceed.
   Enable content security policy headers confirmation pop-up
4. CSP won't be fully enabled until you Save.
5. We recommend navigating around your knowledge base after you've enabled the CSP to ensure that you didn't overlook any necessary domains or resources. Console errors can help you identify things you missed!

default-src

This CSP directive is used as a fallback when any of the others don't have values specified. See MDN Web Docs for more information. We include default-src *.knowledgeowl.com, 'self', 'unsafe-inline', and a few other required resources here even if you don't specify them.

script-src

This CSP directive specifies valid sources for JavaScript. This includes not only URLs loaded directly into <script> elements, but also things like inline script event handlers like onclick. See MDN Web Docs for more information.

Before you enable, consider checking these places for domains you may be running scripts from and be sure you've added them to this directive:

• Settings > Style > Custom HTML: Body, Article, etc.
• Settings > Style > Custom Head
• Library > Snippets: Check individual snippets that may be running scripts themselves

style-src

This CSP directive specifies valid sources for stylesheets. See MDN Web Docs for more information.

Before you enable, consider checking these places for references to external stylesheets and be sure you've added them to this directive:

• Settings > Style > Custom HTML: Body, Article, etc.
• Settings > Style > Custom Head
• Library > Snippets: Check individual snippets that may be running scripts themselves

font-src

This CSP directive specifies valid sources for fonts loaded using @font-face. See MDN Web Docs for more information.

Before you enable, consider checking these places for references to font-face rules containing external resources:

• Settings > Style > Fonts: If a Custom Font is selected, be sure to add that domain.
• Settings > Style > Custom CSS: Look for any font-face rules.
• Settings > Style > Custom Head: Look for any font references outside of KnowledgeOwl.
• Library > Snippets: Check individual snippets to be sure they don't have font-face rules.

img-src

This CSP directive specifies valid sources for images and favicons. See MDN Web Docs for more information.

Before you enable, consider checking these places for references to images outside of KnowledgeOwl:

• Settings > Style > Custom Head
• Settings > Style > Custom CSS
• Settings > Style > Custom HTML: Body, Homepage, Article, etc.
• Individual snippets or articles containing external images in the body or in article thumbnails/banners