FAQ: Content Security Policy

What shall I do if Userpilot refused to connect to my page?

Userpilot sends data using a web-socket connection. This issue is most likely due to blockage caused by a content security policy(CSP) – some networks block the web-socket connection. This can be fixed by asking your engineering team to whitelist Userpilot on your domain.  Also, we recommend checking our Userpilot’s developer docs to understand what goes in and out of a client’s network.

You'll need to ensure that your policy allows Userpilot.js requests:

style-src    'self' https://*.userpilot.io https://fonts.gstatic.com https://fonts.googleapis.com 'unsafe-inline';
script-src   'self' https://*.userpilot.io 'unsafe-inline';
img-src      'self' https://*.userpilot.io;
connect-src  https://*.userpilot.io *.userpilot.io wss:;

Use below for more detailed whitelisting

connect-src:
 https://uploads.userpilot.io
 https://api.userpilot.io
 wss://api.userpilot.io
 https://find.userpilot.io
 https://find-x.userpilot.io
 https://find-y.userpilot.io
 https://find-z.userpilot.io
 https://find-w.userpilot.io
 wss://analytex.userpilot.io
 wss://analytex-us.userpilot.io
 wss://analytex-eu.userpilot.io
 wss://analytex-in.userpilot.io
 https://analytex.userpilot.io
 https://analytex-us.userpilot.io
 https://analytex-eu.userpilot.io
 https://analytex-in.userpilot.io
 https://reporting.userpilot.io
 wss://reporting.userpilot.io
 https://playground.userpilot.io

font-src
 https://fonts.googleapis.com
 https://fonts.gstatic.com
 https://fonts.userpilot.io

media-src
 https://js.userpilot.io

img-src
 https://media.userpilot.io
 https://uploads.userpilot.io
 https://gifs.userpilot.io
 https://videos.userpilot.io

script-src:
 https://js.userpilot.io
 https://deploy.userpilot.io

style-src:
 'unsafe-inline'

If you have any questions, shoot us an email at support@userpilot.co

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.