If your website uses a Content Security Policy (CSP), you must explicitly allow Usercentrics domains. Otherwise, the CMP scripts, API calls, or assets may be blocked by the browser.
CSP defines which sources your website is allowed to load resources from (such as scripts, images, or network requests). To ensure the Usercentrics CMP works correctly, specific domains must be included in your policy.
Required domains for Usercentrics CMP
For Web CMP implementations (including V3), your CSP must allow the following domains:
https://*.usercentrics.euandhttps://*.cmp.usercentrics.eu
These domains ensure that:
CMP scripts can load (
script-src), API communication works (connect-src) and assets such as images are available (img-src)
While CSP wildcards can match subdomains, explicitly including both domains avoids ambiguity and ensures compatibility with current and future CMP host patterns.
How to configure CSP
Please note
Configure CSP via the HTTP response header whenever possible. Using a tag is supported, but should only be used if server-side configuration is not available.
CSP can be set in two ways:
-
HTTP header (recommended)
The preferred approach is to configure CSP via the HTTP response header on your server. This is more secure and applied before any content loads.
-
HTML
<meta>tag (alternative)If you cannot modify server headers, you can define CSP using a
<meta>tag inside the<head>of your page.
Example configurations
Depending on your implementation, you may or may not need 'unsafe-eval'.
With 'unsafe-eval' (required for loader.js)
<meta http-equiv="Content-Security-Policy"
content="script-src https://*.usercentrics.eu https://*.cmp.usercentrics.eu 'self' 'unsafe-eval'; connect-src 'self' https://*.usercentrics.eu https://*.cmp.usercentrics.eu; img-src 'self' https://*.usercentrics.eu https://*.cmp.usercentrics.eu;">Without 'unsafe-eval' (recommended for bundle.js)
<meta
http-equiv="Content-Security-Policy"
content="script-src https://*.usercentrics.eu https://*.cmp.usercentrics.eu 'self'; connect-src 'self' https://*.usercentrics.eu https://*.cmp.usercentrics.eu; img-src 'self' https://*.usercentrics.eu https://*.cmp.usercentrics.eu;">You can find more information about the CSP here, here, and here.