🔒 Captcha.eu CSP Integration

Production-ready Content Security Policy configuration for secure CAPTCHA integration

📋 Required CSP Headers

Content-Security-Policy:
script-src 'self' https://www.captcha.eu 'unsafe-inline';
style-src 'self' https://www.captcha.eu 'unsafe-inline';
worker-src https://www.captcha.eu;
connect-src https://www.captcha.eu;
frame-src 'self';
img-src 'self' https://www.captcha.eu data:;
script-src Load SDK and execute initialization
style-src Widget styling and animations
worker-src Background challenge processing
connect-src API calls for validation
frame-src V2 widget iframe rendering
img-src Logo and challenge images

🛡️ Security Benefits

Domain Scoped All permissions limited to https://www.captcha.eu only
No Third-Party Scripts External scripts blocked except CAPTCHA
Network Isolation API calls restricted to CAPTCHA domain
Worker Protection Background code only from trusted source
Live Widget

Working CAPTCHA

This widget is running with the recommended CSP configuration. Try solving the CAPTCHA to see it in action.

Documentation

Full CSP Guide

Complete integration guide with examples for Nginx, Apache, Node.js, Django, WordPress, and more frameworks.

Read Full Docs →

💡 Why 'unsafe-inline' is Acceptable

While 'unsafe-inline' for styles is required, it represents minimal security risk in this context:

Scripts are still restricted to your domain and https://www.captcha.eu
Network requests are limited to https://www.captcha.eu only
Workers can only load from https://www.captcha.eu
Inline styles cannot execute code or leak data

This configuration provides strong XSS protection while allowing the widget to function properly.