# Content Security Policy (CSP)

CSP is an optional security protocol (specified via a header or meta data) that requires a web app to identify all the content providers that the web app will make use of. This page outlines the minimum required directives to enable full Customer.io functionality.

### Required CSP Directives for Accounts on the US Data Center[](#csp-directives-us)

```fallback
script-src assets.customer.io code.gist.build customerioforms.com 'unsafe-inline' 'unsafe-eval';
connect-src track.customer.io customerioforms.com *.api.gist.build *.cloud.gist.build;
frame-src renderer.gist.build code.gist.build;
style-src code.gist.build 'unsafe-inline';
img-src track.customer.io;
```

### Required CSP Directives for Accounts on the EU Data Center[](#csp-directives-eu)

```fallback
script-src assets.customer.io code.gist.build eu.customerioforms.com 'unsafe-inline' 'unsafe-eval';
connect-src track-eu.customer.io eu.customerioforms.com *.api.gist.build *.cloud.gist.build;
frame-src renderer.gist.build code.gist.build;
style-src code.gist.build 'unsafe-inline';
img-src track-eu.customer.io;
```

### Glossary of Directives[](#glossary-of-directives)

#### Directive: script-src[](#directive-script-src)

Host

Description

assets.customer.io

Location of the Customer.io javascript file, referenced in the installation snippet.

code.gist.build

Location of the services that enable [In-App Messaging](/journeys/in-app-getting-started/).

customerioforms.com

Location of the services that enable [Connected Forms](/integrations/data-in/connections/forms/connected-forms//).

#### Directive: connect-src[](#directive-connect-src)

Host

Description

track.customer.io

Required for event communication.

customerioforms.com

Required for [Connected Forms](/integrations/data-in/connections/forms/connected-forms//) events.

\*.api.gist.build, \*.cloud.gist.build

Required for [In-App Messaging](/journeys/in-app-getting-started/).

#### Directive: frame-src[](#directive-frame-src)

Host

Description

renderer.gist.build, code.gist.build

Required for loading in-app messages.

#### Directive: style-src[](#directive-style-src)

Host

Description

code.gist.build

Required for adding the in-app message styles to the page.

#### Directive: img-src[](#directive-img-src)

Host

Description

track.customer.io

Required for pageview tracking.

## Frequently Asked Questions[](#frequently-asked-questions)

**Are `unsafe-inline` and `unsafe-eval` directives required?**

Yes, `unsafe-inline` and `unsafe-eval` directives are required for javascript and CSS to behave properly.

**Can I exclude the directives relating to Connected Forms or In-App Messaging if I don’t plan on using those Customer.io features?**

Yes, you can exclude the directives relating to either or both features if you don’t plan on using the features. For Custom Forms, the directives to exclude are:

*   customerioforms.com
*   eu.customerioforms.com

To remove In-App Messaging directives, exclude:

*   \*.api.gist.build
*   \*.cloud.gist.build
*   renderer.gist.build
*   code.gist.build