Security headers are used to make web applications more secure.

The documentation around them is technical in nature, and for that reason we will refer to external resources found here: https://developer.mozilla.org/.

This article gives an overview of which security headers are available in Playable. You can access these under your profile icon > Account Overview > Developer

Content Security Policy (CSP) covers a wide range of headers. In Playable, you can enable domain restriction, which restricts where your campaign can be iframed. To view your accounts Security headers navigate to your profile icon > Account Overview> Developer > Security headers.
​
​

​

Enable domain restrictions to restrict which domains are allowed to display your campaigns in an iframe. Enter the allowed source values using valid Content Security Policy syntax.

Examples:

For most setups, we recommend adding both the main domain and its subdomains explicitly, for example:

https://example.com

https://*.example.com

This allows embedding from both the main domain and HTTPS subdomains.

If you are embedding your game in a hybrid app, you will want to make sure frame ancestors are disabled.

Referrer policy controls how much information can be sent along in external links from your campaign to another URL.

This could be, for example, including Playable as the source of traffic to your website.

You can select your preferred referrer policy from the drop-down menu.

Read here for more information.

Permissions policy controls which browser features can be used on your campaign (for example, geolocation).

If you enable this setting in Playable, you will be able to build your own permissions policy in the free text input field.

Read here for more information.