![raptor-qntm-logo_horizontal_gradient.png]](https://content.raptorservices.com/hs-fs/hubfs/raptor-qntm-logo_horizontal_gradient.png?height=40&name=raptor-qntm-logo_horizontal_gradient.png){kind=logo}
Content Security Policy (CSP) Requirements
If your website uses a Content Security Policy (CSP), you must explicitly allowlist the Raptor domains to ensure tracking, recommendations, and search work correctly. Regardless of how Raptor is implemented — whether through the direct tracking script or via Google Tag Manager — the browser will block any requests to domains not listed in your CSP header.
Required Domains
Add the following entries to your CSP header based on which Raptor features you are using:
|
Directive |
Domain |
Purpose |
|
script-src |
https://deliver.raptorstatic.com |
Loads the Raptor tracking script |
|
connect-src |
https://t.raptorsmartadvisor.com |
Sends tracking and behavioural data to Raptor |
|
connect-src |
https://api.raptorsmartadvisor.com |
Fetches website recommendations – if clientsite recommendations are used |
|
connect-src |
https://search.raptorsmartadvisor.com |
Fetches search results |
Example CSP Header
A typical full implementation would include:
script-src 'self' https://deliver.raptorstatic.com;
connect-src 'self' https://t.raptorsmartadvisor.com
https://api.raptorsmartadvisor.com
https://search.raptorsmartadvisor.com;
Notes
- You only need to add the domains relevant to the Raptor features you have implemented.
- All domains are explicit and do not require wildcards or unsafe-eval, making them compatible with strict CSP policies.
- If you are unsure whether your website uses a CSP, ask your developer to check the HTTP response headers on your site.