> ## Documentation Index
> Fetch the complete documentation index at: https://docs.userpilot.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Content Security Policy (CSP)

> Userpilot sends data using a web-socket connection. This issue is most likely due to blockage caused by a content security policy(CSP) – some networks block.

Userpilot sends data using a web-socket connection. This issue is most likely due to blockage caused by a content security policy(CSP) – some networks block the web-socket connection. This can be fixed by asking your engineering team to whitelist Userpilot on your domain.  Also, we recommend checking our Userpilot’s developer docs to understand what goes in and out of a client’s network.

You'll need to ensure that your policy allows Userpilot.js requests:

```
style-src    'self' https://*.userpilot.io https://fonts.gstatic.com https://fonts.googleapis.com 'unsafe-inline';
script-src   'self' https://*.userpilot.io 'unsafe-inline';
img-src      'self' https://*.userpilot.io;
connect-src  https://*.userpilot.io *.userpilot.io wss:;
```

Use below for more detailed whitelisting

```
connect-src:
 https://uploads.userpilot.io
 https://api.userpilot.io
 wss://api.userpilot.io
 https://find.userpilot.io
 https://find-x.userpilot.io
 https://find-y.userpilot.io
 https://find-z.userpilot.io
 https://find-w.userpilot.io
 wss://analytex.userpilot.io
 wss://analytex-us.userpilot.io
 wss://analytex-eu.userpilot.io
 wss://analytex-in.userpilot.io
 https://analytex.userpilot.io
 https://analytex-us.userpilot.io
 https://analytex-eu.userpilot.io
 https://analytex-in.userpilot.io
 https://reporting.userpilot.io
 wss://reporting.userpilot.io
 https://playground.userpilot.io

font-src
 https://fonts.googleapis.com
 https://fonts.gstatic.com
 https://fonts.userpilot.io

media-src
 https://js.userpilot.io

img-src
 https://media.userpilot.io
 https://uploads.userpilot.io
 https://gifs.userpilot.io
 https://videos.userpilot.io

script-src:
 https://js.userpilot.io
 https://deploy.userpilot.io

style-src:
 'unsafe-inline'
```

***

### **Using the Nonce Attribute in CSP Rules for Userpilot**

When applying **Content Security Policy (CSP) rules**, the use of `'unsafe-inline'` and `'unsafe-eval'` is **not required** if you use the `nonce` attribute. This ensures that only **scripts and styles** explicitly marked with the correct nonce can execute, improving security.

To enable this with **Userpilot**, you must pass the `nonce` attribute when defining the `userpilotSettings` object.

**CSP Rule Example**

```
default-src * 'self' 'nonce-i9o9123rlm';
style-src 'self' 'nonce-i9o9123rlm';
```

**Userpilot Setup**

<CodeGroup>
  ```javascript JavaScript theme={null}
  window.userpilotSettings = {
     token: "YOUR_USERPILOT_TOKEN",
     nonce: "i9o9123rlm" // This should match the nonce value defined in your CSP rules
  };
  ```

  ```typescript NPM theme={null}
  Userpilot.initialize("YOUR_USERPILOT_TOKEN", {
     nonce: "i9o9123rlm" // Must match the CSP nonce value
  });
  ```
</CodeGroup>

By ensuring that the **nonce value in your CSP matches the one passed to Userpilot**, you allow Userpilot scripts to run safely without needing in your policy.

<Frame>
  [For any questions or concerns please reach out to ](mailto:support@userpilot.com)
</Frame>