Skip to content

PageShieldPolicy

Source: src/Cloudflare/PageShield/Policy.ts

A Page Shield policy — a Content Security Policy rule (/zones/{zone_id}/page_shield/policies) that is applied when its expression matches a request.

Policies let you enforce (or log violations of) a CSP at the edge, positively blocking resources Page Shield hasn’t approved. All fields are mutable in place; only the zone forces a replacement.

Entitlement-gated: CSP policies are an Enterprise add-on. On non-entitled zones, creation fails with the typed PolicyQuotaExceeded error (“exceeded the maximum number of rules in the phase http_response_page_shield: 1 out of 0”). Page Shield itself should be enabled on the zone first — see Cloudflare.PageShieldSettings.

Creating a Policy

Section titled “Creating a Policy”

Log-only CSP policy

const zone = yield* Cloudflare.Zone("Site", { name: "example.com" });


yield* Cloudflare.PageShieldSettings("PageShield", {
  zoneId: zone.zoneId,
});


yield* Cloudflare.PageShieldPolicy("LogScripts", {
  zoneId: zone.zoneId,
  action: "log",
  expression: 'http.host eq "example.com"',
  value: "script-src 'self'",
});

Enforcing CSP policy with a description

yield* Cloudflare.PageShieldPolicy("EnforceScripts", {
  zoneId: zone.zoneId,
  description: "block third-party scripts on checkout",
  action: "allow",
  expression: 'starts_with(http.request.uri.path, "/checkout")',
  value: "script-src 'self' https://js.stripe.com",
});