Skip to main content

Adding Custom Content Security Policy (CSP) Rules for Your Sleekplan Standalone Website

Learn how to configure custom CSP (Content Security Policy) rules for your Sleekplan standalone website to allow additional scripts, or external tools to load securely.

Updated this week

Introduction

By default, Sleekplan’s standalone website version comes with a preconfigured Content Security Policy (CSP) to ensure security and prevent unauthorized scripts from being loaded. However, in some cases you may need to extend the CSP rules to allow trusted external services.

For example:

  • Loading a support chat widget: If you want to embed a third-party customer support chat (such as Intercom, Crisp, or Zendesk Chat) into your Sleekplan standalone website, you’ll need to whitelist the domains used by that service in the CSP.

  • Embedding analytics tools: If you want to integrate a trusted analytics service (like Google Analytics or Hotjar) to track visitor interactions on your Sleekplan standalone site, you’ll also need to add the corresponding domains to your CSP rules.

How to Add Custom CSP Rules

Follow these steps to configure your custom CSP rules from your Sleekplan admin dashboard:

1. Go to Settings > Website > Website Settings :

2. Go to the Custom HTML drop down menu in Website Settings and look for Content Security Policy. Click on Add :

3. Add your CSP directives in the available code area and click on Save :

Example CSP Rules

Below are some examples you can use as a reference when extending your CSP:

1. Support Chat Widget (e.g., Zendesk)

If you want to embed a support chat in your Sleekplan website board, the custom directives could look like this:

 Content-Security-Policy:
  script-src 'self' https://static.zdassets.com https://ekr.zdassets.com https://assets.zendesk.com;
  style-src 'self' 'unsafe-inline' https://static.zdassets.com https://ekr.zdassets.com https://assets.zendesk.com;
  img-src 'self' data: https://static.zdassets.com https://ekr.zdassets.com https://assets.zendesk.com https://zdusercontent.com;
  font-src 'self' https://static.zdassets.com https://ekr.zdassets.com https://assets.zendesk.com;
  connect-src 'self' wss://*.zendesk.com https://*.zendesk.com https://*.zdassets.com;
  frame-src 'self' https://static.zdassets.com https://ekr.zdassets.com https://assets.zendesk.com https://*.zendesk.com;

2. Minimal CSP for Google Analytics

Content-Security-Policy: 
  script-src 'self' https://www.googletagmanager.com https://www.google-analytics.com;
  connect-src 'self' https://www.google-analytics.com;
  img-src 'self' https://www.google-analytics.com;

Note: having a custom domain in your Sleekplan account is required for this option to be available.

⚡Sleekplan not yet fully supports Google Strict CSP

Related Articles
Using the Sleekplan Widget with Content Security Policy (CSP)
Did this answer your question?