Skip to main content
Content Security Policy (CSP) is a security standard that helps protect your website from cross-site scripting (XSS) and other code injection attacks by controlling which resources the browser is allowed to load. If your website uses CSP headers, you’ll need to configure them to allow CookieChimp to function correctly. CookieChimp fully supports CSP and can be configured in two ways depending on your setup.

Option 1: Domain-based CSP (without nonce)

If you’re using domain-based CSP, add the CookieChimp domains to your policy. This is the simplest approach and works well for most websites. 
Content-Security-Policy:
  script-src https://cookiechimp.com https://*.cookiechimp.com https://cdn.jsdelivr.net;
  style-src https://cookiechimp.com https://*.cookiechimp.com https://cdn.jsdelivr.net;
  connect-src https://cookiechimp.com https://*.cookiechimp.com;
  frame-src https://cookiechimp.com https://*.cookiechimp.com;
If you already have a CSP header, merge these domains into your existing directives rather than adding a second Content-Security-Policy header.

Option 2: Nonce-based CSP

If you’re using nonce-based CSP for stricter security, add a nonce attribute to the CookieChimp script tag. CookieChimp will automatically detect the nonce and apply it to all dynamically created CSS and JavaScript elements. 
<script nonce="YOUR_SERVER_NONCE" src="https://cookiechimp.com/widget/abc123.js"></script>
With the corresponding CSP header: 
Content-Security-Policy:
  script-src 'nonce-YOUR_SERVER_NONCE' https://cookiechimp.com https://*.cookiechimp.com https://cdn.jsdelivr.net;
  style-src 'nonce-YOUR_SERVER_NONCE' https://cookiechimp.com https://*.cookiechimp.com https://cdn.jsdelivr.net;
  connect-src https://cookiechimp.com https://*.cookiechimp.com;
  frame-src https://cookiechimp.com https://*.cookiechimp.com;
Replace YOUR_SERVER_NONCE with a cryptographically secure random value generated by your server on every page request. Never hardcode a static nonce — the security benefit comes from the value being unique and unpredictable each time.

What each directive allows

DirectivePurpose
script-srcAllows the CookieChimp widget script and its dependencies
style-srcAllows consent banner and modal stylesheets
connect-srcAllows API requests to log consent and fetch configuration and translations
frame-srcAllows rendering the preferences modal and embedding the privacy portal vendor list

Additional domains for integrations

If you’re using CookieChimp alongside third-party integrations, you may need to add their domains to your CSP as well. Some common examples:
IntegrationDirectiveDomain
Meta Pixelscript-srchttps://connect.facebook.net
Google Analyticsscript-srchttps://*.googletagmanager.com https://*.google-analytics.com
Google Tag Managerscript-srchttps://*.googletagmanager.com
These additional domains are not specific to CookieChimp — they are required by the third-party services themselves. Only add the domains for services you actually use.

Testing your CSP configuration

After updating your CSP header, verify everything works correctly:
  1. Open your website and check that the CookieChimp banner appears.
  2. Open the browser developer tools (F12) and check the Console tab for any CSP violation errors. They typically look like: Refused to load the script ... because it violates the following Content Security Policy directive.
  3. Test the full consent flow — accept, reject, and update preferences — to ensure all API calls succeed.
If you see CSP violations in the console related to CookieChimp, double-check that all the required domains listed above are included in the correct directives.