Page Shield FAQ
When you create policies, Cloudflare will generate content security policy (CSP) directives from those policies based on their configuration:
- Log policies will create CSP directives for the
Content-Security-Policy-Report-OnlyHTTP header. - Allow policies will create CSP directives for the
Content-Security-PolicyHTTP header.
Page Shield only adds new CSP HTTP headers to the response. This means that Cloudflare will keep any Content-Security-Policy-Report-Only and Content-Security-Policy HTTP headers in the response set by the origin server and it will add separate HTTP headers for the policies configured on your Cloudflare zone.
It is recommended that you only have one policy in allow mode (that is, a policy being enforced). If there is more than one Content-Security-Policy HTTP header in the response, the most restrictive policy wins. For more information, refer to the MDN documentation ↗.
Page Shield currently does not support nonce ↗ directives in policies. Instead, you can use a hash ↗ CSP directive. For details on the supported directives and values, refer to Supported CSP directives.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark