Content Security Policy (CSP) is a security standard that adds an extra layer of security by specifying domains that the browser should consider to be valid sources of content on the website. In our specific case, it's about the source of content loaded in the LiveAgent agent panel or in the LiveAgent knowledgebase portal.
Defining these Content Security Policy (CSP) headers can prevent various cross-site scripting (XSS), clickjacking, and similar code injection attacks aimed at your LiveAgent agent panel or your LiveAgent knowledgebase.
If you decide to enable this feature, it's very important that all allowed sources are properly defined, otherwise all the scripts/content from undefined domains will be automatically blocked which may cause issues with your customer portal or agent panel. Therefore, it's strongly recommended that you enable this feature only if you are familiar with CSP and how it works, or that you ask your web-admin to set it up for you. If you want to get more familiar with CSP and all the technical details, a very good source of information is this website.
Setup
To enable CSP feature for LiveAgent software, open your LiveAgent admin panel and navigate to Configuration > Security >Settings.
Here you will find two check-boxes Enable CSP headers for Agent panel and Enable CSP headers for KB. When enabled a new field will appear just below the enabled option where you need to define the trusted domains.
- Enable CSP headers for Agent panel option is used to define CSP for your LiveAgent panel used by your agents
- Enable CSP headers for KB option is used to define CSP for your LiveAgent Customer portal and Knowledgebase which is publicly available to everyone.
For example, if you would like to add iframes to your knowledge base articles from a domain such as example.com or anotherexample.com, and you would also like to add scripts from all the subdomains of example.com, then these scripts must be loaded over HTTPS, and you need to set up the CSP headers in the following format:
frame-src 'self' example.com anotherexample.com;
script-src 'self' https://*.example.com/ https://example.com/;
Check out a screenshot of our example below: