Content Security Policy for project websites

This policy becomes effective March 1, 2025.

For your project's website:

• External trackers from 3rd party providers are not allowed. The ASF offers Matomo analytics for all project websites through analytics.apache.org.
• External resources, such as videos or PDFs, from providers with which we do not have a Data Processing Agreement (DPA) are not allowed to be embedded in the project's website. If you have a DPA request or inquiry, contact privacy@apache.org. They can also tell you if a provider whose content you want to embed in your website has already signed a DPA.
• Links to external resources are allowed if the site visitor must give explicit consent in order to see or use the content. This consent cannot be opt-out, and there must be a clear way for the visitor to retract consent at a later time.

This policy brings project websites into alignment with the security and privacy parameters defined by the VP, Data Privacy and as requested by The ASF Security Committee. We ask that projects do not circumvent them without express permission from our VP, Data Privacy.

Review The ASF's project website policy here.