US English (US)
ES Spanish

Submit Article Requests

Do you have a suggestion for an article you would like to see created?
Feel free to submit this form and add your suggestions to our document board.

Please fill out the contact form below and we will reply as soon as possible.

  • Appcues Certifications & Training
  • Integration Hub
  • Contact Us
English (US)
US English (US)
ES Spanish
  • Docs home
  • Installation & Developers
  • Installing Appcues on Web

Content Security Policies

Learn more about the content security policies that Appcues requires to work correctly.

Updated at October 21st, 2025

Submit Article Requests

Do you have a suggestion for an article you would like to see created?
Feel free to submit this form and add your suggestions to our document board.

Please fill out the contact form with the details about the help content you'd like to see.

  • Home

  • Getting Started

    • Installation & Developers

      • Web Experiences

        • Mobile Experiences

          • Workflows

            • Analytics & Data

              • Account Management

                • Best Practices

                  • Integrations

                    Table of Contents

                    A note on 'unsafe-inline'

                    Some software products use a content security policy that automatically blocks resources that are not explicitly allowed. Such security policies may cause Appcues' editor or SDK to fail to load properly. If your product has a content security policy that is impacting Appcues' editor or SDK, you will want to extend that CSP with a number of resources that Appcues requires.

                    You'll need to add the following Content Security Policy settings on your end:

                    Option 1 (recommended)

                    Use our wildcard Content Security Policy to ensure that your content always displays correctly regardless of any changes on our end.

                    9:37
                     
                    frame-src    'self' https://*.appcues.com;
font-src     'self' https://fonts.gstatic.com;
style-src    'self' https://*.appcues.com https://*.appcues.net https://fonts.googleapis.com https://fonts.google.com 'unsafe-inline';
script-src   'self' https://*.appcues.com https://*.appcues.net;
img-src      'self' https://*.appcues.com https://*.appcues.net res.cloudinary.com cdn.jsdelivr.net;
connect-src  https://*.appcues.com https://*.appcues.net wss://*.appcues.net wss://*.appcues.com;

                    Option 2 (not recommended)

                    Use the specific Content Security Policy list. Please note that if you opt for this, the list of hosts can be changed and result in broken functionality for your Appcues experiences.

                    frame-src    'self' https://fast.appcues.com;
font-src     'self' https://fonts.gstatic.com;
style-src    'self' https://fast.appcues.com https://api.appcues.net https://fonts.googleapis.com https://fonts.google.com 'unsafe-inline';
script-src   'self' https://fast.appcues.com https://api.appcues.net;
img-src      'self' https://fast.appcues.com https://api.appcues.net res.cloudinary.com cdn.jsdelivr.net;
connect-src  https://fast.appcues.com https://api.appcues.net wss://api.appcues.net;

                    Please reach out to us at support@appcues.com if you have any questions on the above.

                    A note on 'unsafe-inline'

                    The above content security policy is functional and secure. Some organizations prefer to not have the 'unsafe-inline' as specified in row 3 above. While it is possible to remove this directive, if you do the following Appcues functions will no longer work properly:

                    • Themes & In-line Styling

                    NOTE: If you are using a Locked Version of the SDK (Anything lower than 4.39.41) then you will want to have unsafe-inline specified in rows 2 AND 3 above. While it is possible to remove this directive from those lines, if you do the following Appcues functions will no longer work properly:

                    • Themes & In-line Styling
                    • The Actions option on the Flow Settings page
                    • Trigger Flow Buttons in the Builder

                     

                    faqs content security csp error csp whitelisting whitelist

                    Was this article helpful?

                    Yes
                    No
                    Give feedback about this article

                    Related Articles

                    • Personalize Web and Mobile Flows
                    • Diagnostics Tool
                    • Manage Flows
                    • Checklist FAQ
                    Appcues logo

                    Product

                    Why Appcues How it works Integrations Security Pricing What's new

                    Use cases

                    Appcues Integration Hub User Onboarding Software Feature Adoption Software NPS & Surveys Announcements Insights Mobile Adoption

                    Company

                    About
                    Careers

                    Support

                    Developer Docs Contact

                    Resources

                    The Appcues Blog Product Adoption Academy GoodUX Case studies Webinar Series Made with Appcues Appcues University

                    Follow us

                    Facebook icon Twitter icon grey Linkedin icon Instagram icon
                    © 2022 Appcues. All rights reserved.
                    Security Terms of Service Privacy Policy

                    Knowledge Base Software powered by Helpjuice

                    Expand