---
title: "Content Security Policy"
slug: "content-security-policy"
updated: 2025-11-07T13:52:35Z
published: 2025-11-07T13:52:35Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://help.userflow.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Content Security Policy

If your web app uses [Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP), you’ll need to ensure that your policy allows Userflow.js requests.

Your policy must allow the following:

```plaintext
connect-src:
  https://cdn.userflow.com
  https://e.userflow.com
  https://e.eu.userflow.com
  https://js.userflow.com
  wss://e.userflow.com
  wss://e.eu.userflow.com

script-src:
  https://cdn.userflow.com
  https://js.userflow.com

style-src:
  https://cdn.userflow.com
  https://js.userflow.com

img-src:
  https://blob.userflow.com
  https://cdn.userflow.com
  https://js.userflow.com
  https://storage.googleapis.com/studio1-prod-blob/

media-src:
  https://blob.userflow.com
  https://cdn.userflow.com
  https://storage.googleapis.com/studio1-prod-blob/

frame-src:
   https://cdn.userflow.com
```

A few notes:

- The name `studio1` (in the `storage.googleapis.com` URLs) was the company’s original name and is therefore used for legacy reasons.