> This page is part of the [Customer.io documentation](https://docs-customerio.netlify.app). For the complete index, see [llms.txt](https://docs-customerio.netlify.app/llms.txt).

# Content Security Policy (CSP)

If you enforce a Content Security Policy (CSP) on your website, you need to add directives that let the JavaScript client load and communicate with Customer.io. This page shows the required directives.

A Content Security Policy (CSP) is a standard that helps you control the resources that a web browser can load on your page. If you enforce a CSP on your website, you need to allow the domains that our JavaScript client communicates with.

 If you’re using our legacy JavaScript snippet, where calls use the `_cio` prefix, see the [legacy CSP page](/integrations/data-in/connections/javascript/legacy-js/content-security-policy/) instead.

## Standard directives[](#csp-directives)

 US data center

#### US data center[](#US data center)

```text
script-src cdp.customer.io;
connect-src cdp.customer.io *.api.gist.build *.cloud.gist.build;
frame-src renderer.gist.build code.gist.build;
style-src 'unsafe-inline';
```

 EU data center

#### EU data center[](#EU data center)

```text
script-src cdp-eu.customer.io;
connect-src cdp-eu.customer.io *.api.gist.build *.cloud.gist.build;
frame-src renderer.gist.build code.gist.build;
style-src 'unsafe-inline';
```

## Use nonce-based authorization[](#nonces)

If your CSP uses [nonce-based authorization](https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/nonce), you can add a nonce to the JavaScript client snippet instead of allowing entire domains in `script-src`. This provides a stricter security model because it authorizes specific script elements rather than entire domains.

Add the `nonce` attribute to the snippet’s `<script>` tag, matching the nonce value in your CSP header:

```html
<script nonce="your-random-nonce-value">
  // Your JavaScript client snippet code here
</script>
```

Your CSP header should include the matching nonce:

```text
script-src 'nonce-your-random-nonce-value' cdp.customer.io;
```

 You still need to allow `cdp.customer.io` in `script-src` because the snippet dynamically loads additional scripts from this domain.

## Package-based installations[](#package-csp)

If you installed the JavaScript client [as a package](/integrations/data-in/connections/javascript/frameworks/)—for example, `@customerio/cdp-analytics-browser`—rather than using the snippet, you don’t need to allow `cdp.customer.io` in `script-src`. The library bundles into your app code. You still need the `connect-src` directives so the library can send data to Customer.io.

```text
connect-src cdp.customer.io *.api.gist.build *.cloud.gist.build;
frame-src renderer.gist.build code.gist.build;
style-src 'unsafe-inline';
```

## Custom proxy setups[](#proxy-csp)

If you’ve set up a [custom proxy](/integrations/data-in/connections/javascript/proxy/) to route requests through your own domain, replace the Customer.io domains in your CSP with your proxy domain. For example, if your proxy domain is `analytics.example.com`:

```text
script-src analytics.example.com;
connect-src analytics.example.com *.api.gist.build *.cloud.gist.build;
```

## Glossary of directives[](#glossary-of-directives)

Some of these directives are required for in-app messaging, which includes features like inbox messages, web-based microsurveys, and so on. If you don’t use these features, you can exclude the relevant directives.

Directive

Host

Description

`script-src`

`cdp.customer.io`

The host for the JavaScript client. The snippet loads the library and integration bundles from this domain.

`connect-src`

`cdp.customer.io`

Required for sending tracking data—identify, track, and page calls—and loading integration settings.

`connect-src`

`*.api.gist.build`, `*.cloud.gist.build`

Required for [in-app messaging](/journeys/in-app-getting-started/). We use these domains for message queues and real-time updates. You can exclude these if you don’t send in-app messages.

`frame-src`

`renderer.gist.build`, `code.gist.build`

Required for rendering in-app messages in iframes. You can exclude these if you don’t send in-app messages.

`style-src`

`'unsafe-inline'`

Required because the in-app messaging infrastructure injects inline `<style>` blocks to position and display messages. You can exclude this if you don’t send in-app messages.

## Frequently asked questions[](#frequently-asked-questions)

**Do you need `unsafe-inline` or `unsafe-eval` in `script-src`?**

No! Unlike our legacy JavaScript snippet, the JavaScript client loads as an external script. You don’t need `unsafe-inline` or `unsafe-eval` in your `script-src` directive. This is one of the benefits of upgrading from the legacy snippet.

**Can you exclude in-app messaging directives?**

Yes. If you don’t send [in-app messages](/journeys/in-app-getting-started/) (including inbox messages, microsurveys, and so on), you can remove all `gist` domains from your CSP:

*   `*.api.gist.build` and `*.cloud.gist.build` from `connect-src`
*   `renderer.gist.build` and `code.gist.build` from `frame-src`
*   `'unsafe-inline'` from `style-src`