How do I add Google Analytics to my CSP?

Add https://www.googletagmanager.com to script-src and https://www.google-analytics.com to both script-src and connect-src.

Why do third-party scripts break CSP?

They load from multiple subdomains, make API calls, and sometimes inject inline scripts — each requiring separate allowlist entries.

Reference

CSP Directives for Popular Third-Party Services

Copy-paste CSP additions for the services your site most likely uses. Add these to your existing CSP directives — do not replace your full policy with them.

Google Analytics 4 (GA4) via GTM

script-src https://www.googletagmanager.com https://www.google-analytics.com;
connect-src https://www.google-analytics.com https://analytics.google.com https://region1.google-analytics.com;
img-src https://www.google-analytics.com https://www.googletagmanager.com;

Google Fonts

style-src https://fonts.googleapis.com;
font-src https://fonts.gstatic.com;

Stripe.js

script-src https://js.stripe.com;
frame-src https://js.stripe.com https://hooks.stripe.com;
connect-src https://api.stripe.com;

Intercom

script-src https://widget.intercom.io https://js.intercomcdn.com;
connect-src https://api.intercom.io https://api-iam.intercom.io wss://nexus-websocket-a.intercom.io;
img-src https://static.intercomassets.com https://downloads.intercomcdn.com;
frame-src https://intercom-sheets.com;

HubSpot

script-src https://js.hs-scripts.com https://js.usemessages.com https://js.hscollectedforms.net https://js.hs-analytics.net;
connect-src https://api.hubspot.com https://forms.hubspot.com https://track.hubspot.com;
img-src https://track.hubspot.com;

Hotjar

script-src https://static.hotjar.com https://script.hotjar.com;
connect-src https://*.hotjar.com https://*.hotjar.io wss://*.hotjar.com;
img-src https://*.hotjar.com;
font-src https://static.hotjar.com;

reCAPTCHA v3

script-src https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/;
frame-src https://www.google.com/recaptcha/;
connect-src https://www.google.com/recaptcha/;

YouTube embeds

frame-src https://www.youtube.com https://www.youtube-nocookie.com;
img-src https://i.ytimg.com;
connect-src https://www.youtube.com;

Cloudflare Turnstile

script-src https://challenges.cloudflare.com;
frame-src https://challenges.cloudflare.com;
connect-src https://challenges.cloudflare.com;

Sentry (error monitoring)

script-src https://browser.sentry-cdn.com;
connect-src https://*.sentry.io;

Crisp chat

script-src https://client.crisp.chat;
connect-src https://client.relay.crisp.chat wss://client.relay.crisp.chat;
img-src https://image.crisp.chat https://storage.crisp.chat;
frame-src https://game.crisp.chat;

Missing a service? Use CSPFixer — it scans your live page, finds every external resource your page loads, and generates a complete CSP automatically.

Generate your full CSP → CSPFixer