Content Security Policy (CSP) is an HTTP response header that adds an extra layer of security to your website. It helps browsers detect and block potential attacks such as cross-site scripting (XSS), clickjacking, and other client-side threats that may try to inject malicious content.
When enabled, browsers validate all applications and resources (e.g., JavaScript, CSS, images) against the policies you define. If a resource is not listed in your CSP, the browser restricts it and prevents it from loading.
CSP Directives for Panels Created on or After November 19, 2024
If your panel was created on or after November 19, 2024, and if you have enabled the CSP header on your website, you might need to add the following directives to your CSP header to allow the Insider Tag:
http-equiv="Content-Security-Policy"
content="
connect-src 'self' https://*.useinsider.com https://*.api.useinsider.com wss://*.useinsider.com;
font-src 'self' 'unsafe-inline' *.useinsider.com *.api.useinsider.com;
frame-src 'self' 'unsafe-inline' blob: *.useinsider.com *.api.useinsider.com;
img-src 'self' 'unsafe-inline' *.useinsider.com *.api.useinsider.com;
style-src 'self' 'unsafe-inline' *.useinsider.com *.api.useinsider.com;
script-src 'self' 'unsafe-inline' *.useinsider.com *.api.useinsider.com;
script-src-elem 'self' 'unsafe-inline' *.useinsider.com *.api.useinsider.com;
worker-src 'self' 'unsafe-inline' *.useinsider.com *.api.useinsider.com;
object-src 'self' 'unsafe-inline' *.useinsider.com *.api.useinsider.com;
" CSP Directives for Panels Created Before November 19, 2024
If your panel was created before November 19, 2024, you’ll need to use a slightly different set of directives:
http-equiv="Content-Security-Policy"
content="
connect-src 'self' https://*.useinsider.com https://*.api.useinsider.com wss://*.useinsider.com;
font-src 'self' 'unsafe-eval' 'unsafe-inline' *.useinsider.com *.api.useinsider.com;
frame-src 'self' 'unsafe-eval' 'unsafe-inline' blob: *.useinsider.com *.api.useinsider.com;
img-src 'self' 'unsafe-eval' 'unsafe-inline' *.useinsider.com *.api.useinsider.com;
style-src 'self' 'unsafe-eval' 'unsafe-inline' *.useinsider.com *.api.useinsider.com;
script-src 'self' 'unsafe-eval' 'unsafe-inline' *.useinsider.com *.api.useinsider.com;
script-src-elem 'self' 'unsafe-eval' 'unsafe-inline' *.useinsider.com *.api.useinsider.com;
worker-src 'self' 'unsafe-eval' 'unsafe-inline' *.useinsider.com *.api.useinsider.com;
object-src 'self' 'unsafe-eval' 'unsafe-inline' *.useinsider.com *.api.useinsider.com;
"