Enable the Content Security Policy for Real User Monitoring

If the RUM Agent request from the client browser fails due to blocked:csp error as below, you need to enable the content security policy directive in the web server for Real User Monitoring. This page will guide you on it.

What is Content Security Policy (CSP)

Content Security Policy (CSP) is an essential security standard designed to protect web applications from cross-site scripting (XSS) and other code injection attacks. However, it's important to note that a strict CSP may inadvertently block inline JavaScript and prevent the browser from sending monitoring data to the Real User Monitoring agent.

How CSP rule is configured in the application?

CSP rules can be set via the <meta> element in the page or the response HTTP header.

How to enable Content Security Policy (CSP) for Real User Monitoring?

CSP rules on a page must be configured in such a way it should allow loading and executing of RUM script. Follow the below steps to enable CSP for RUM:

1. Copy the RUM Agent URL from the script injected in your application

The RUM Agent URL is injected into your application's code. You need to copy this URL to use it in the CSP configuration.

2. Construct the content script policy to allow the copied RUM Agent URL

The content script policy is a string that specifies which sources of content are allowed to be executed within a web page. You need to construct this policy to allow the RUM Agent URL.

Here is an example of a content script policy that allows the RUM Agent URL:

Content-Security-Policy: connect-src 'self' https://your.corp.com:7443; script-src 'unsafe-inline' https://your.corp.com:7443;

This policy allows connections to the https://your.corp.com:7443 URL and executes inline JavaScript code from the same URL.

3. Restart your application (if required)

After configuring the CSP header, restart your application(If required) and check whether Real User Monitoring is enabled for the site. You can verify this by checking the RUM dashboard.