add CSP info for Discourse 2.2

add CSP info for Discourse 2.2
diff --git a/docs/ b/docs/
index 27d4fef..190282f 100644
--- a/docs/
+++ b/docs/
@@ -27,6 +27,8 @@ There are 2 main scenarios we protect against:
 2. **Markdown displayed on the page invokes an XSS.** To protect against client side preview XSS, Discourse uses [Google Caja]( in the preview window.
+3. [**CSP is on by default** for all Discourse installations]( as of Discourse 2.2. It can be switched off in the site settings, but it is default on.
 On the server side we run a whitelist based sanitizer, implemented using the [Sanitize gem]( See the [relevant Discourse code](
 In addition, titles and all other places where non-admins can enter code are protected either using the Handlebars library or standard Rails XSS protection.

sha: 358fbeba

1 Like