Create CSP Trusted Sites to Access Third-Party APIs

The Lightning Component framework uses Content Security Policy (CSP), which is a W3C standard, to control the source of content that can be loaded on a page. To use third-party APIs that make requests to an external (non-Salesforce) server, add the server as a CSP Trusted Site.
Available in: Salesforce Classic and Lightning Experience
Available in: Developer, Enterprise, Performance, and Unlimited

User Permissions Needed
To create, read, update, and delete: Customize Application or Modify All Data

CSP is a Candidate Recommendation of the W3C working group on Web Application Security. The framework uses the Content-​Security-​Policy HTTP header recommended by the W3C. By default, the framework’s headers allow content to be loaded only from secure (HTTPS) URLs and forbid XHR requests from JavaScript.

When you define a CSP Trusted Site, the site’s URL is added to the list of allowed sites for the following directives in the CSP header.
  • connect-src
  • frame-src
  • img-src
  • style-src
  • font-src
  • media-src
This change to the CSP header directives allows Lightning components to load resources, such as images, styles, and fonts, from the site. It also allows client-side code to make requests to the site.
Important

Important

You can’t load JavaScript resources from a third-party site, even a CSP Trusted Site. To use a JavaScript library from a third-party site, add it to a static resource, and then add the static resource to your component. After the library is loaded from the static resource, you can use it as normal.

  1. From Setup, enter CSP in the Quick Find box, then select CSP Trusted Sites.
    This page displays a list of any CSP Trusted Sites already registered, and provides additional information about each site, including site name and URL.
  2. Select New Trusted Site.
  3. Name the Trusted Site.
    For example, enter Google Maps.
  4. Enter the URL for the Trusted Site.
    The URL must begin with http:// or https://. It must include a domain name, and can include a port.
    Warning

    Warning

    The default CSP requires secure (HTTPS) connections for external resources. Configuring a CSP Trusted Site with an insecure (HTTP) URL is an anti-pattern, and compromises the security of your org.

  5. Enter a description for the Trusted Site.
  6. To temporarily disable a Trusted Site without actually deleting it, deselect the Active checkbox.
  7. Select Save.
Note

Note

CSP Trusted Sites affect the CSP header only for Lightning Component framework requests. To enable corresponding access for Visualforce or Apex, create a Remote Site.

CSP isn’t enforced by all browsers. For a list of browsers that enforce CSP, see caniuse.com.

IE11 doesn’t support CSP, so we recommend using other supported browsers for enhanced security.