Content Security Policy (CSP) Settings for Beacon

If your website or web app has a  Content Security Policy header and you would like to embed a Beacon, you'll want to whitelist a few additional sources so that everything works properly. 

Here's a list of URLs to include in your header. Remember to replace anything that says your-site-subdomain with your Docs site subdomain.

Beacon supports the use of strict CSP v3.

Content-Security-Policy:
    object-src 'none';
    script-src 'nonce-{random}' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:;
    base-uri 'none';
    report-uri https://your-report-collector.example.com

Add the random nonce to the script tag in your Beacon embed code to allow it to be loaded.

If you are using CSP versions 1 or 2 then the following entries will need to be added for Beacon to function properly on your website:

connect-src:
    https://beaconapi.helpscout.net
    https://chatapi.helpscout.net
    https://d3hb14vkzrxvla.cloudfront.net
    wss://*.pusher.com 
    *.sumologic.com
child-src: // only needed if your Docs content includes any of the video sources below
    https://www.youtube.com
    https://player.vimeo.com
    https://fast.wistia.net
style-src:
    'unsafe-inline'
    https://fonts.googleapis.com
    https://beacon-v2.helpscout.net
font-src:
    data:
    https://fonts.gstatic.com
    https://beacon-v2.helpscout.net
base-uri:
    https://docs.helpscout.net
script-src:
    https://beacon-v2.helpscout.net
    https://d12wqas9hcki3z.cloudfront.net
    https://d33v4339jhl8k0.cloudfront.net
frame-src:
    https://beacon-v2.helpscout.net
object-src:
    https://beacon-v2.helpscout.net
img-src:
    https://*.gravatar.com
    https://beacon-v2.helpscout.net
    https://d33v4339jhl8k0.cloudfront.net
media-src:
    https://beacon-v2.helpscout.net
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still stuck? How can we help? How can we help?