# Content Security Policy Header

### What to do if your website enforces a [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) header:

Crobox loads scripts, fonts, images and fetches data from 2 domains, so you need to add both of the following to your CSP:

* **`cdn.crobox.io`**
* **`api.crobox.com`**

to the `script-src`, `font-src` , `img-src` , `connect-src` sections (or `default-src` if not using those specifics) sections of the CSP header.\
\
Crobox creates the stylesheets dynamically so you will need to add **`'unsafe-inline'`** the `style-src` section.

Other third-parties that might be used are Google Fonts and Unsplash, so their resources also need to be whitelisted, if not already included in your CSP.

Depending on how strict the policy is applied you might also have to add **`'unsafe-eval'`** to `script-src` since this is used for the Crobox preview mode.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.crobox.com/getting-started/first-steps/content-security-policy-header.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.