> ## Documentation Index
> Fetch the complete documentation index at: https://docs.instantschema.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Content Security Policy

> CSP directives required for each InstantSchema integration method

# Content Security Policy

If your site uses a Content Security Policy, you may need to add directives to allow InstantSchema to load or fetch data. The required directives depend on which integration method you use.

## Quick reference

| Integration   | `script-src` | `connect-src` |
| ------------- | ------------ | ------------- |
| CDN script    | ✅ Required   | ✅ Required    |
| Inline script | —            | ✅ Required    |
| GTM           | ✅ Required   | ✅ Required    |
| Next.js SDK   | —            | —             |
| Astro         | —            | —             |
| Nuxt          | —            | —             |
| Custom API    | —            | —             |

Server-side integrations (SDK, Astro, Nuxt, Custom API) render schemas into HTML on your server — no external scripts are loaded and no client-side fetches are made, so no CSP changes are needed.

## CDN script

The CDN integration loads a script from `app.instantschema.com` and then fetches schema data from the same origin.

Add both directives:

```http theme={null}
Content-Security-Policy: script-src 'self' https://app.instantschema.com; connect-src 'self' https://app.instantschema.com
```

## Inline script

The inline script makes a `fetch()` call to the API but does not load any external script file.

Add only `connect-src`:

```http theme={null}
Content-Security-Policy: connect-src 'self' https://app.instantschema.com
```

## GTM

GTM loads the InstantSchema CDN script via its own container. You need `script-src` for the InstantSchema domain (plus whatever GTM itself requires).

```http theme={null}
Content-Security-Policy: script-src 'self' https://app.instantschema.com https://www.googletagmanager.com; connect-src 'self' https://app.instantschema.com
```

<Note>
  GTM's own container script (`googletagmanager.com`) is separate from InstantSchema. Check GTM's documentation for the full list of domains their container needs.
</Note>

## Strict CSP with nonces

If your policy uses `'strict-dynamic'` with a per-request nonce, the CDN loader tag needs the nonce attribute:

```html theme={null}
<script
  src="https://app.instantschema.com/v1/loader.js"
  data-project-id="YOUR_PROJECT_ID"
  nonce="GENERATED_NONCE"
  async
></script>
```

With `'strict-dynamic'`, scripts loaded by a trusted (nonced) script inherit trust automatically — the loader's internal `fetch()` call is not a script load, so it still needs an explicit `connect-src` entry:

```http theme={null}
Content-Security-Policy: script-src 'nonce-GENERATED_NONCE' 'strict-dynamic'; connect-src 'self' https://app.instantschema.com
```

## Testing your policy

After updating your CSP, open the browser DevTools **Console** and reload the page. CSP violations are logged as errors. You can also use the **Network** tab to confirm the loader script and API request both return 200 rather than being blocked.
