Content Security Policy Blocking resources, unable to edit CSP

I’m having my resources blocked by a CSP that I did not set. Returning blocked:csp errors. Looking into how to fix it and I need to edit settings in Page Shield but I need to upgrade? I don’t want any other CSP settings active. Just basic DNS. If I disable cloudflare I get infinite redirects, even with HTTPS disabled.

Second time in a row running into major errors with Cloudflare and being unable to fix it without admin backend support. Purchased my domain here and continuing with issues.

Again, I just need basic DNS. I can manage SSL and HTTPS elsewhere, just need my site to not break itself every time I make a slight change on Cloudflare.

Bumping, still no fix

Also not allowed to remove the site from cloudflare apparently. Would like to remove and re-add to attempt a reset. Maybe the fix on my last issue messed something up? Was just fixed behind the scenes with no response on what was actually changed.

Example errors:

FontAwesome JS from head:

Page Shield is a separate thing that you can use to monitor scripts. It has its own Content-Security-Policy (CSP) it needs to load itself, etc, but this is separate. You don’t need Page Shield to set your CSP, or modify it. Cloudflare does not set a CSP by default.

Cloudflare does not:
Modify CSP headers from the origin web server.

The CSP is being sent from your origin web server. You could configure it there. You could also use Transform Rules Response Headers Rewrite to remove it/modify it forcefully within Cloudflare itself. If you could share the domain, someone from the community here could potentially take a look and help you adjust it.

You don’t need to have proxy enabled on records if that’s the case. You can disable proxy. If you already have proxy disabled/dns-only, then Cloudflare is fully unrelated to the issue.

If you were allowed to delete your domain from Cloudflare while using CF Registrar, it would just break your domain again in the same way and require a manual fix to set your nameservers back. That also wouldn’t solve your issue.

1 Like

Domain is

. Hosted on Heroku, but no CSP coming from there.

Thanks for sharing the domain.

Most likely either you have an existing Transform Rule Rewrite Response Headers (from the CF Dash in your website, Rules → Transform Rules → Modify Response Headers), or it is coming from Heroku. You could disable proxy on the DNS Record (under Edit of the record → click Proxy Status) or Pause Cloudflare (on Overview page) to check (would take a sec for DNS propagation though), and that would stop Cloudflare from interfering at all.

1 Like

Looks like you disabled proxy, and Heroku doesn’t have an SSL Cert for your site. Once you fix that, hopefully under SSL/TLS → Overview you are on “Full (Strict)” as well, it’s the only secure option.

Regardless, I can see over http that the content-security-policy is still being served:

So it is coming from Heroku, hopefully that helps you fix it. I don’t know anything more about their platform to help more.
(I outlined Server: Cowboy, because if it was proxied you would see Server: Cloudflare and other CF-* headers, just to clarify)

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.