Resolving Content Security Policy (CSP) blocking issues

In some cases, especially for large organizations or enterprise websites, you may notice limited or missing data in Tapper after onboarding. One common cause is your website’s Content Security Policy (CSP) blocking Tapper’s tracking script.

What’s happening?

Tapper uses a lightweight monitoring script that loads from our domain to track user behavior and detect invalid traffic. If your site has a strict CSP in place, the browser will block this script from loading, which prevents Tapper from collecting any data.

In Chrome DevTools → Network tab, you may see a failed request like this:

Request URL: https://monitor.tapper.ai/bundle.js
Error: CSP block or failed to load resource

Example: bundle.js blocked by CSP in browser console.

How to fix it

Your engineering team needs to update your site's CSP headers to allow Tapper’s domains.

Allowlist the following Tapper domains:

arduino
CopyEdit
https://monitor.tapper.ai
https://cdn.tapper.ai

Depending on your setup, you may need to update your script-src, img-src, or connect-src directives to include these URLs.

Example CSP Update

http
CopyEdit
Content-Security-Policy: script-src 'self'
https://monitor.tapper.ai; img-src 'self'
https://cdn.tapper.ai;

For more guidance, refer to this CSP blocking solution example.

Still stuck?

If you’re unsure where to update the CSP or don’t have access, forward this article to your dev or security team. You can also reach out to support@tapper.ai for help.

Updated on: 25/05/2025