Configure Content Security Policies for Appcues
Learn more about the content security policies that Appcues requires to work correctly.
Table of Contents
If your product enforces a content security policy (CSP), it may block the Appcues editor or SDK from loading. Add the required Appcues domains to your CSP so experiences render correctly.
Also known as: CSP errors, whitelisting, allowlisting, blocked resources
Quick checks
- Appcues experiences or the Builder fail to load, but your app works fine otherwise.
- Your browser console shows errors containing
Refused to load,Content Security Policy, orCSP. - Your site sets a
Content-Security-PolicyHTTP header or<meta>tag.
Add Appcues to your CSP
Option 1: Wildcard domains (recommended)
Use wildcards to keep your CSP working even if Appcues adds or changes subdomains. Add the following directives to your existing policy:
frame-src 'self' https://*.appcues.com;
font-src 'self' https://fonts.gstatic.com;
style-src 'self' https://*.appcues.com https://*.appcues.net https://fonts.googleapis.com https://fonts.google.com 'unsafe-inline';
script-src 'self' https://*.appcues.com https://*.appcues.net;
img-src 'self' https://*.appcues.com https://*.appcues.net res.cloudinary.com cdn.jsdelivr.net;
connect-src https://*.appcues.com https://*.appcues.net wss://*.appcues.net wss://*.appcues.com;
Option 2: Specific domains
Pin each Appcues domain individually. This is not recommended because Appcues may change hosts at any time without notice, which would break your experiences.
frame-src 'self' https://fast.appcues.com;
font-src 'self' https://fonts.gstatic.com;
style-src 'self' https://fast.appcues.com https://api.appcues.net https://fonts.googleapis.com https://fonts.google.com 'unsafe-inline';
script-src 'self' https://fast.appcues.com https://api.appcues.net;
img-src 'self' https://fast.appcues.com https://images.appcues.com https://api.appcues.net res.cloudinary.com cdn.jsdelivr.net;
connect-src https://fast.appcues.com https://api.appcues.net wss://api.appcues.net;
If Appcues changes a host, experiences will stop working until you update your CSP. Use Option 1 to avoid this.
Confirm it worked
- Deploy the updated CSP to your environment.
- Open your browser's developer console (F12 or Cmd+Option+I) and reload the page.
- Check that no
Content Security Policyerrors appear in the console.
A note on 'unsafe-inline'
The 'unsafe-inline' directive in the style-src line is required for Appcues themes and inline styling to work. The policy above is functional and secure — 'unsafe-inline' applies only to styles, not scripts.
If your organization removes 'unsafe-inline' from style-src, the following will stop working:
- Themes and inline styling
If you are on a locked SDK version below 4.39.41, 'unsafe-inline' is also required in font-src. Removing it from both font-src and style-src on older SDK versions will additionally break:
- The Actions option on the Flow Settings page
- Trigger Flow buttons in the Builder
Diagnose CSP issues
If Appcues content isn't loading or is loading incorrectly (missing or incorrect resources like images or fonts) and you suspect a CSP problem, walk through these steps to confirm and pinpoint the blocked resource.
Step 1: Check the browser console for CSP violations
- Open your app in the browser where Appcues should appear or is appearing incorrectly.
- Open DevTools (F12 or Cmd+Option+I) and go to the Console tab.
- Look for errors that start with
Refused to load the script,Refused to connect,Refused to apply inline style, or similarRefused to...messages. Each error tells you exactly which directive is blocking which resource.
Example error:
Refused to load the script 'https://fast.appcues.com/...' because it violates the following Content Security Policy directive: "script-src 'self'"
This tells you script-src is missing the Appcues domain.
Step 2: Match the symptom and update your CSP
Find what you're experiencing below, then add the corresponding directive from the CSP policy in Option 1 above.
Experiences don't appear at all. Your script-src directive is missing Appcues domains. Add https://*.appcues.com https://*.appcues.net to script-src.
The Builder won't load. Your frame-src directive is missing Appcues. Add https://*.appcues.com to frame-src.
Experiences load but look unstyled. Your style-src directive is missing Appcues domains or the 'unsafe-inline' keyword. Add https://*.appcues.com https://*.appcues.net https://fonts.googleapis.com https://fonts.google.com 'unsafe-inline' to style-src.
Images or media are missing from Experiences. Your img-src directive is missing Appcues domains. Add https://*.appcues.com https://*.appcues.net res.cloudinary.com cdn.jsdelivr.net to img-src.
Experiences don't appear and/or analytics aren't working. Your connect-src directive is missing Appcues domains or WebSocket endpoints. Add https://*.appcues.com https://*.appcues.net wss://*.appcues.net wss://*.appcues.com to connect-src.
Custom fonts aren't rendering. Your font-src directive is missing Google Fonts. Add https://fonts.gstatic.com to font-src.
If you're seeing multiple symptoms, the simplest fix is to add the full CSP policy from Option 1 — this covers all Appcues resources in one go.
If it's still not working
Collect the following and send to support@appcues.com:
- Screenshots of all CSP-related console errors
- Your Appcues account ID
- The URL where Appcues should be loading
- Whether you're using a locked SDK version (and which version)