Content Security Policy (CSP) Settings for Beacon

If your website or web app has a  Content Security Policy header and you would like to embed a Beacon, you'll want to whitelist a few additional sources so that everything works properly. 

Here's a list of URLs to include in your header. Remember to replace anything that says your-site-subdomain with your Docs site subdomain.

Beacon 1.0

connect-src:
	https://your-site-subdomain.helpscoutdocs.com
	https://secure.helpscout.net
	https://api.ipify.org

child-src: // only needed if your Docs content includes any of the video sources below
	https://www.youtube.com
	https://player.vimeo.com
	https://fast.wistia.net

style-src:
	'unsafe-inline'
	https://fonts.googleapis.com
	https://d12wqas9hcki3z.cloudfront.net
	https://djtflbt20bdde.cloudfront.net

font-src:
	data:
	https://fonts.gstatic.com

base-uri:
	https://docs.helpscout.net

script-src:
	https://d12wqas9hcki3z.cloudfront.net
	https://d33v4339jhl8k0.cloudfront.net
	https://djtflbt20bdde.cloudfront.net

frame-src:
	https://djtflbt20bdde.cloudfront.net

object-src:
	https://djtflbt20bdde.cloudfront.net

Beacon 2.0

Beacon 2.0 supports the use of strict CSP v3:

Content-Security-Policy:
    object-src 'none';
    script-src 'nonce-{random}' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:;
    base-uri 'none';
    report-uri https://your-report-collector.example.com

Add the random nonce to the script tag in your Beacon embed code to allow it to be loaded.

If you are using CSP versions 1 or 2 then the following whitelist will need to be added for Beacon 2.0 to function properly on your website:

connect-src:
    https://beaconapi.helpscout.net
    https://chatapi.helpscout.net
    https://d3hb14vkzrxvla.cloudfront.net
child-src: // only needed if your Docs content includes any of the video sources below
    https://www.youtube.com
    https://player.vimeo.com
    https://fast.wistia.net
style-src:
    'unsafe-inline'
    https://fonts.googleapis.com
    https://beacon-v2.helpscout.net
    https://djtflbt20bdde.cloudfront.net
font-src:
    data:
    https://fonts.gstatic.com
base-uri:
    https://docs.helpscout.net
script-src:
    https://beacon-v2.helpscout.net
    https://d12wqas9hcki3z.cloudfront.net
    https://d33v4339jhl8k0.cloudfront.net
frame-src:
    https://beacon-v2.helpscout.net
object-src:
    https://beacon-v2.helpscout.net

wss\://*.pusher.com 
*.sumologic.com
sentry.io

Still stuck? How can we help? How can we help?