Skip to main content

Content Security Policy

If your site uses a Content Security Policy, you may need to add directives to allow InstantSchema to load or fetch data. The required directives depend on which integration method you use.

Quick reference

Integrationscript-srcconnect-src
CDN script✅ Required✅ Required
Inline script✅ Required
GTM✅ Required✅ Required
Next.js SDK
Astro
Nuxt
Custom API
Server-side integrations (SDK, Astro, Nuxt, Custom API) render schemas into HTML on your server — no external scripts are loaded and no client-side fetches are made, so no CSP changes are needed.

CDN script

The CDN integration loads a script from app.instantschema.com and then fetches schema data from the same origin. Add both directives:
Content-Security-Policy: script-src 'self' https://app.instantschema.com; connect-src 'self' https://app.instantschema.com

Inline script

The inline script makes a fetch() call to the API but does not load any external script file. Add only connect-src:
Content-Security-Policy: connect-src 'self' https://app.instantschema.com

GTM

GTM loads the InstantSchema CDN script via its own container. You need script-src for the InstantSchema domain (plus whatever GTM itself requires).
Content-Security-Policy: script-src 'self' https://app.instantschema.com https://www.googletagmanager.com; connect-src 'self' https://app.instantschema.com
GTM’s own container script (googletagmanager.com) is separate from InstantSchema. Check GTM’s documentation for the full list of domains their container needs.

Strict CSP with nonces

If your policy uses 'strict-dynamic' with a per-request nonce, the CDN loader tag needs the nonce attribute:
<script
  src="https://app.instantschema.com/v1/loader.js"
  data-project-id="YOUR_PROJECT_ID"
  nonce="GENERATED_NONCE"
  async
></script>
With 'strict-dynamic', scripts loaded by a trusted (nonced) script inherit trust automatically — the loader’s internal fetch() call is not a script load, so it still needs an explicit connect-src entry:
Content-Security-Policy: script-src 'nonce-GENERATED_NONCE' 'strict-dynamic'; connect-src 'self' https://app.instantschema.com

Testing your policy

After updating your CSP, open the browser DevTools Console and reload the page. CSP violations are logged as errors. You can also use the Network tab to confirm the loader script and API request both return 200 rather than being blocked.