Content Security Policy (CSP)


Specifying Content Security Policy is a common way to secure web applications. This mechanism allows specifying which scripts and styles can execute on page. It can be done either by adding a Content-Security-Policy header or an appropriate meta tag.

You can read about Consent Security Policy here:

Content Security Policy configuration

It is common to allow only scripts and connections from known domains.

JavaScript Tracking Client

To load all necessary assets for JavaScript Tracking Client to work you need to define source with script-src, img-src and connect-src sources:

script-src <your-sources>;
img-src <your-sources>;
connect-src <your-sources>;


These paths may require adjusting if you don’t use default settings. For instance JavaScript library may be loaded as an alternative build that doesn’t conflict with Matomo script:

Tracking with custom domain

If your tracking domain is custom, then you need to define it in CSP sources:

script-src <your-sources>;
img-src <your-sources>;
connect-src <your-sources>;

Allowing Site Inspector extention to work on site

Site Inspector is a Chrome browser extension that helps visualize analytics data (e.g. click heat map, scroll map) on tracked pages. Default configuration of JavaScript Tracking Client will add configuration for this extension (in a page HTML), but it is possible to disable this behavior if necessary (setSiteInspectorSetup).

This extension integrates with a page on which it is run so additional CSP rules are needed to allow it’s normal functioning:

connect-src <your-sources+necessary-Piwik-PRO-sources>;
frame-src <your-sources+necessary-Piwik-PRO-sources>;


If you use custom domain for tracking then the domain used in CSP rules should be adjusted accordingly.

Example Content Security Policy definition

Following example configuration of CSP assumes:

  • client’s website address:
  • client’s organization name in Piwik PRO: client
  • client’s domain:
  • client uses default tracking domain:
  • client wants to also allow Site Inspector extention on their site
  • configuration allows 'self' source which is:
Content-Security-Policy: default-src 'none';
                         script-src  'self';
                         img-src     'self';
                         connect-src 'self';