Getting Started with Certifying Leads on Sites Using a Content Security Policy (CSP)

Guide Overview

Summary:
This guide explains how to configure your Content Security Policy (CSP) so the TrustedForm Certify Web SDK can successfully generate certificates for leads on your website.

Learning Objectives:

• Understand what a Content Security Policy (CSP) is and why it matters
• Learn which domains must be allowed in your CSP
• Confirm that TrustedForm Certify is working correctly under your CSP configuration

Quick Start Workflow

1. Review your existing Content Security Policy
2. Allow necessary script and network domains
3. Deploy the updated CSP
4. Submit a test form
5. Confirm the TrustedForm certificate field is present

Step-by-Step Instructions

Step 1. Understand Your Content Security Policy (CSP)

• Goal: Know how CSP affects third-party scripts like TrustedForm Certify
• Context: A CSP defines which sources of scripts, images, and network requests are permitted by the browser. It helps prevent malicious or unauthorized code from running on your site.

Instructions:

1. Locate where your CSP is defined (HTTP response headers or <meta> tags).
2. Review the existing script-src, img-src, and connect-src directives.
3. Identify whether third-party domains are restricted.

Expected Result:
You understand where and how your CSP is enforced on your site.

Step 2. Allow Required Domains

• Goal: Ensure TrustedForm Certify can load its SDK and communicate with its API
• Context: The TrustedForm Certify Web SDK loads a script from a CDN and communicates with an API to generate a certificate URL. Both actions must be permitted by your CSP.

Instructions:

1. Add the following domains to your CSP:

   • cdn.trustedform.com
   • api.trustedform.com

2. Allow these domains in the following directives:

   • script-src
   • img-src
   • connect-src

3. Confirm the changes are saved in your CSP configuration.

Expected Result:
Your CSP explicitly allows TrustedForm to load scripts and make network requests.

Step 3. Apply a Minimal Working CSP Example

• Goal: Quickly validate a known-good CSP configuration
• Context: The example below shows the minimum CSP entries required for TrustedForm to function correctly.

Instructions:

1. Compare your CSP against the example below.
2. Add or merge the required TrustedForm entries as needed.

Content-Security-Policy:
  default-src 'self';
  script-src 'self' 'unsafe-inline' https://api.trustedform.com https://cdn.trustedform.com;
  img-src 'self' https://api.trustedform.com https://cdn.trustedform.com;
  connect-src 'self' https://api.trustedform.com https://cdn.trustedform.com;

3. Deploy the updated policy to your environment and install the TrustedForm Certify Web SDK on your form pages.

Expected Result:
Your CSP includes all required TrustedForm domains while preserving your existing security rules.

Validate Your Setup

After updating your CSP:

1. Open the page containing your form.
2. Open your browser’s developer tools.
3. Inspect the form fields.
4. Look for a hidden field named xxTrustedFormCertUrl (or your custom field name).

If the field is present, TrustedForm is working correctly under your CSP.

Troubleshooting

Frequently Asked Questions (FAQ)

Q: Why does TrustedForm Certify require CSP changes?
A: TrustedForm Certify loads its SDK from a CDN and sends requests to its API. A restrictive CSP must explicitly allow both actions.

Q: Do I need to replace my existing CSP?
A: No. You can add the domains to your existing policy while keeping all other rules intact.

Q: Which field confirms TrustedForm Certify is working?
A: The hidden form field named xxTrustedFormCertUrl (or a custom field name) confirms successful certificate generation.

Glossary