"Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware." —Mozilla

This document is an overview of how VA.gov implements, uses, and manages a content security policy. This document assumes you have an understanding of CSP, CSP directives and a high level understanding of VA.gov's infrastructure (specifically where the reverse proxy sits in the content delivery flow).

Generation of CSP

There are two components of the CSP generated by Va.gov's reverse proxy.

  • CSP HTTP headersContent-Security-Policy-Report-Only and Content-Security-Policy (currently not active)

  • nonce header value and HTML attribute: A unique value (nonce) is generated for each page visit. The nonce is added to the CSP header and to each occurance of the nonce attribute in the HTML document. The nonce is added to the HTML document with a simple string replacement of CSP_NONCE.

CSP logger

VA.gov uses Sentry as its CSP logger. Sentry CSP logs for each environment:

Reports are throttled by the reverse proxy by setting the report-url in the CSP header for only on a percentage of visits.

Configuration and maintenance

The following applies when editing the CSP:

  • Updates to the CSP must be approved by the Release Tools team

  • Updates to the CSP must be tested on staging before releasing into production

    • The only way to test the CSP is to add it to an environment and monitor the logger for violations

  • Updates to the CSP must be in pull requests without other changes to enable easy rollback

  • The updater is responsible for monitoring the CSP logger after changes are pushed into production

  • The CSP should be backwards compatible to version 1.0 to ensure maximum coverage. Use the CSP quick reference guide for this task.

  • Validate the CSP header using the CSP Evaluator. Current process for this is to deploy changes to staging and capture the header from a browser request / response.

CSP configurations:

Exempted third party scripts

This is an overview of the third party managed scripts allowed to run on VA.gov.



Digital Analytics Program

Provides a JavaScript file for US federal agencies to link or embed in their websites to participate in the Digital Analytics Program.

Google Analytics

Web analytics platform.

Google Maps (via Leafletjs)

Facility locator uses leaflet to annotate its map. This dependency leverages the Google maps js framework.

Google Optimize

An a/b testing + personalization tool.


used to deliver messages to veterans.


A location / address tool used in the Facility Locator.


Survey tool


Embedded video

Approval for new third party scripts


Quarterly review process


Related info