> ## Documentation Index
> Fetch the complete documentation index at: https://docs.userpilot.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Content Security Policy (CSP)

> Ensure that your CSP configuration allows requests to the necessary Userpilot resources, including scripts, connections, frames, and other assets.

Userpilot sends data using a web-socket connection. If you’re experiencing issues with data not being sent or features not functioning as expected, it’s likely that a Content Security Policy (CSP) on your network is blocking these connections. This can be fixed by asking your engineering team to whitelist Userpilot on your domain. Also, we recommend checking our Userpilot’s developer docs to understand what goes in and out of a client’s network.

You'll need to ensure that your policy allows Userpilot.js requests:

```text theme={null}
style-src    'self' https://*.userpilot.io https://fonts.gstatic.com https://fonts.googleapis.com 'unsafe-inline';
script-src   'self' https://*.userpilot.io 'unsafe-inline';
img-src      'self' https://*.userpilot.io;
connect-src  https://*.userpilot.io *.userpilot.io wss:;
```

Use below for more detailed whitelisting

```text theme={null}
connect-src:
 https://uploads.userpilot.io
 https://api.userpilot.io
 wss://api.userpilot.io
 https://find.userpilot.io
 https://find-x.userpilot.io
 https://find-y.userpilot.io
 https://find-z.userpilot.io
 https://find-w.userpilot.io
 wss://analytex.userpilot.io
 wss://analytex-us.userpilot.io
 wss://analytex-eu.userpilot.io
 wss://analytex-in.userpilot.io
 https://analytex.userpilot.io
 https://analytex-us.userpilot.io
 https://analytex-eu.userpilot.io
 https://analytex-in.userpilot.io
 https://reporting.userpilot.io
 wss://reporting.userpilot.io
 https://playground.userpilot.io

font-src
 https://fonts.googleapis.com
 https://fonts.gstatic.com
 https://fonts.userpilot.io

media-src
 https://js.userpilot.io

img-src
 https://media.userpilot.io
 https://uploads.userpilot.io
 https://gifs.userpilot.io
 https://videos.userpilot.io

script-src:
 https://js.userpilot.io
 https://deploy.userpilot.io

style-src:
 'unsafe-inline'
```

***

### **Using the Nonce Attribute in CSP Rules for Userpilot**

When applying **Content Security Policy (CSP) rules**, the use of `'unsafe-inline'` and `'unsafe-eval'` is **not required** if you use the `nonce` attribute. This ensures that only **scripts and styles** explicitly marked with the correct nonce can execute, improving security.

To enable this with **Userpilot**, you must pass the `nonce` attribute when defining the `userpilotSettings` object.

**CSP Rule Example**

```text theme={null}
default-src * 'self' 'nonce-i9o9123rlm';
style-src 'self' 'nonce-i9o9123rlm';
```

**Userpilot Setup**

<CodeGroup>
  ```javascript JavaScript theme={null}
  window.userpilotSettings = {
     token: "YOUR_USERPILOT_TOKEN",
     nonce: "i9o9123rlm" // This should match the nonce value defined in your CSP rules
  };
  ```

  ```typescript NPM theme={null}
  Userpilot.initialize("YOUR_USERPILOT_TOKEN", {
     nonce: "i9o9123rlm" // Must match the CSP nonce value
  });
  ```
</CodeGroup>

By ensuring that the **nonce value in your CSP matches the one passed to Userpilot**, you allow Userpilot scripts to run safely without needing in your policy.

<Frame>
  [For any questions or concerns please reach out to ](mailto:support@userpilot.com)**[support@userpilot.com](mailto:support@userpilot.com)**
</Frame>
