The CSP (Content Security Policy) setup required for Web Analytics

Last week Cloudflare released privacy-first web analytics for free. For some reason, they failed to include information about CSP. Websites with strong CSPs need this information.

Here is what needs to be added to the CSP:

  • 'https://cloudflareinsights.com' in connect-src
  • 'https://static.cloudflareinsights.com' in script-src

I figured this out through trial and error, which is not ideal. I hope Cloudflare takes CSP more seriously in the future.

2 Likes

Thanks for this. However, I’m seeing errors like:

[Error] Origin https://www.[MYDOMAIN].com is not allowed by Access-Control-Allow-Origin.
[Error] XMLHttpRequest cannot load https://cloudflareinsights.com/cdn-cgi/rum due to access control checks.
[Error] Failed to load resource: Origin https://www.[MYDOMAIN].com is not allowed by Access-Control-Allow-Origin. (rum, line 0) 

As well as the CSP, do you also have some CORS settings that mean you’re not seeing these? I haven’t set any and am wondering exactly what I should set.

I found the solution: Access-Control-Allow-Origin errors when using Web Analytics