Security, Privacy, and Compatability
      Back to home
      1. Customer Support Center
      2. Security, Privacy, and Compatability

      Whitelisting URLs: Content Security Policy (CSP) and Apty

      TABLE OF CONTENTS

      Introduction

      Content Security Policy (CSP) is a W3C standard providing a layer of protection against Cross-Site Scripting (XSS), which is a known vulnerability of web applications that results in the injection of malicious client-side scripts into web pages. CSP policy allows blocking/allowing content from specified domains and avoiding the content coming from unapproved origin. CSP rules work at the page level and apply to all components and libraries. This policy affects Apty's operation and if Apty, as well as third-party resources used by Apty have not been listed as CSP trusted sites, Apty content is going to be blocked.

      This article covers the list of trusted sites that should be whitelisted for the uninterrupted Apty operation.

      Whitelisting URLs

      When you define a CSP Trusted Site, you can add the site’s URL to the list of allowed sites for the following directives in the HTTP response headers:

      • frame-src
      • img-src
      • style-src
      • font-src
      • media-src

      By using suitable CSP directives in HTTP response headers, you can selectively specify which data sources should be permitted in your web application.

      Sites that should be whitelisted for Apty operation

      1. HTTPS://API.SEGMENT.IO : It is a service for capturing data for analytics. It streams the data to Apty Analytics, stores collected data for a few minutes. For more details on which data is collected, refer to Data Collection and Storage.
      2. HTTPS://CDN.SEGMENT.COM : It is a sub-service of Segment that retrieves JS used in the widget.
      3. HTTPS://FONTS.APP.APTY.IO : This site allows whitelisting a resource offering custom typography for Apty usage. No data is collected by this service.
      4. HTTPS://CLIENT.APP.APTY.IO : It is the server URL from where Apty widget data is fetched.

      Note:

      Alternatively, you can whitelist https://*.app.apty.io/ for the 3rd and the 4th points mentioned above.

      CSP Errors

      If Apty Client has been added to the hosting application via the code snippet or the injected mode, but it is not loading on your website, this error may be caused by the CSP Policy. In order to check that, open the Developer Tools > Console tab and reload the page. If you see any error related to the Content Security Policy directive, refer to your tech team with a request to whitelist the following websites:

      Note

      From version 4.15 onwards, whitelisting the following two URLs would suffice

      • https://*.app.apty.io/ : To fetch all the Apty content and send user preferences.
      • https://*.segment.io/ : To send analytics data.