# Content Security Policy

Permissions Policy and Content Security Policy (CSP) can provide an additional layer of security to your applications.
If you have these policies configured, you need to make sure Footprint features and domains are whitelisted.

## Required Security Headers

Depending on the framework you use, there are different ways to set Permissions & Content Security Policies.
However, you should ensure the following values are added to your policies:

```json
{
  key: 'Permissions-Policy',
  value: 'camera=(self "https://*.onefootprint.com/*"), publickey-credentials-get=(self "https://*.onefootprint.com/*"),  otp-credentials=(self "https://*.onefootprint.com/*"), clipboard-write=(self "https://*.onefootprint.com/*")'
},
{
  key: 'Content-Security-Policy',
  value: 'child-src onefootprint.com; connect-src *.onefootprint.com https://fp.risk.onefootprint.com https://fpnpmcdn.net; frame-src *.onefootprint.com;'
}
```

1. Permissions Policy

   * Footprint identity verification flows require access to the browser's public key credentials to register and verify passkeys.
   * Our flows may also require access to the browser camera if your onboarding configurations collect ID documents and selfies.
   * We also have some functionality that copies content to clipboard, such as copying the test ID in sandbox mode.

More information on Permissions Policy can be found [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Permissions_Policy).

2. Content Security Policy

   * Because our integrations run in an iframe for compliance and security reasons, you will also need to make sure footprint domains are whitelisted for `child-src`, `connect-src` and `frame-src` fields.

More information on Content Security Policy can be found [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP).