Whitelisting URLs: Content Security Policy (CSP) and Apty

TABLE OF CONTENTS

Introduction

Content Security Policy (CSP) is a W3C standard providing a layer of protection against Cross-Site Scripting (XSS), which is a known vulnerability of web applications that results in the injection of malicious client-side scripts into web pages. CSP policy allows blocking/allowing content from specified domains and avoiding the content coming from unapproved origin. CSP rules work at the page level and apply to all components and librariesThis policy affects Apty's operation and if Apty, as well as third-party resources used by Apty have not been listed as CSP trusted sites, Apty content is going to be blocked.

This article covers the list of trusted sites that should be whitelisted for the uninterrupted Apty operation.

Whitelisting URLs

When you define a CSP Trusted Site, you can add the site’s URL to the list of allowed sites for the following directives in the HTTP response headers:

  • frame-src
  • img-src
  • style-src
  • font-src
  • media-src

By using suitable CSP directives in HTTP response headers, you can selectively specify which data sources should be permitted in your web application.

Sites that should be whitelisted for Apty operation

  1. HTTPS://API.SEGMENT.IO  It is a service for capturing data for analytics. It streams the data to Apty Analytics, stores collected data for a few minutes. For more details on which data is collected, refer to Data Collection and Storage.
  2. HTTPS://CDN.SEGMENT.COM It is a sub-service of Segment that retrieves JS used in the widget.
  3. HTTPS://FONTS.APP.APTY.IO This site allows whitelisting a resource offering custom typography for Apty usage. No data is collected by this service.
  4. HTTPS://CLIENT.APP.APTY.IO It is the server URL from where Apty widget data is fetched.

Note: 

You can replace the 3 and 4 from the above list by https://*.app.apty.io/

CSP Errors

If Apty has been added to the hosting application via the code snippet or the injected mode (as described in this article), but the widget is not loading on your website, this error may be caused by the CSP Policy. In order to check that, open the Developer Tools > Console tab and reload the page. If you see any errors related to the Content Security Policy directive, refer to your tech team with a request to whitelist the websites mentioned in the error message:

Note: 

From version 4.15 onwards, whitelisting the following two URLs would suffice

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.