Content Security Policies


Content Security Policies are delivered as a header to your users’ browser by your web-server and they are used to declare which dynamic resources are allowed to load on your page.

For many websites, this is often as straightforward as declaring that only scripts/styles from your own domain and that of any tools that you are using is allowed, but this can become more involved when complex setups are in play.

If you identify CSP errors on your site, there is currently no workaround and you will need to work with your development team or hosting provider to adjust your CSP settings.


Check to see if there are CSP errors.

You can check your browser developer console by following the steps in this guide.

If there is a Content Security Policy issue, you will see something similar to the below error:

Consult with your web developer or hosting provider to adjust CSP settings.

Since all servers are different, WebMaxy Support won’t be able to help troubleshoot any issues with this process. When making changes to your Content Security Policies, the best person to reach out to is your web developer, or whoever manages your website.

Choose which CSP settings to adjust.

If you are using a default CSP then adding the below to your default-src rules will be sufficient.

The “…” in the examples below is a placeholder for any existing rules you might have in place:

default-src ... http://*.webmaxy.com:* https://*.webmaxy.com:* http://*.webmaxy.io https://*.webmaxy.io wss://*.webmaxy.com 'unsafe-inline';

If you want stricter restrictions we would recommend the template below to ensure that your policies will be more future-proof as we expand our services. Here’s an example of what that would look like:

img-src ... http://*.webmaxy.com https://*.webmaxy.com http://*.webmaxy.io https://*.webmaxy.io; 
script-src ... http://*.webmaxy.com https://*.webmaxy.com http://*.webmaxy.io https://*.webmaxy.io 'unsafe-inline'; 
connect-src ... http://*.webmaxy.com:* https://*.webmaxy.com:* http://*.webmaxy.io https://*.webmaxy.io wss://*.webmaxy.com; 
frame-src ... https://*.webmaxy.com http://*.webmaxy.io https://*.webmaxy.io; 
font-src ... http://*.webmaxy.com https://*.webmaxy.com http://*.webmaxy.io https://*.webmaxy.io;

If your CSPs require more granularity then here are the absolute minimum security allowances that you need to add to your web-server to allow WebMaxy to function properly on your site:

img-src ... https://script.webmaxy.com http://script.webmaxy.com;
script-src ... http://static.webmaxy.com https://static.webmaxy.com https://script.webmaxy.com 'unsafe-inline';
connect-src ... http://*.webmaxy.com:* https://*.webmaxy.com:* https://vc.webmaxy.io:* https://surveystats.webmaxy.io wss://*.webmaxy.com;
frame-src ... https://vars.webmaxy.com;
font-src ... http://script.webmaxy.com https://script.webmaxy.com;

Update to requirements as of May 2021 #

In order for Survey Performance data to be collected properly, the entry https://surveystats.webmaxy.io has been added to the minimum security allowance requirements above.

Back to top

Copyright @ 2022 WebMaxy | All rights reserved.