CSP rule not working. Is there a default Netlify CSP out of my control?

Hi,

My website guitmz.com is hosted via Netlify (DNS too). I’m trying to use Plausible for analytics and I can’t make it work. I added a custom CSP rule to allow connections to it already but even if I remove the CSP headers entirely, the error stays the same. Is there a default CSP rule applied by Netlify that I can’t see?

Error: Refused to connect to https://plausible.io/api/event because it does not appear in the connect-src directive of the Content Security Policy.

Config I tried (tried several, this is one of them): Content-Security-Policy: connect-src 'self' plausible.io

I tried with https://, the full URL of Plausible in CSP, tried with a custom subdomain (visitors.guitmz.com) instead too, it displays the same error always (with the subdomain the error changes to the subdomain of course).

Any guidance would be great! Thanks in advance

Hi, @guitmz. We don’t set or override any CSP headers nor do we set any by default.

Note, I believe your site is settings headers in two place:

  • in the file _headers
  • in the file netlify.toml

You might simplify the troubleshooting by setting these headers in just one place.

Now, about what CSP headers are required for plausible.io to work, that I do not know.

Our support team can help you troubleshoot the creation of custom headers but we need you to tell us what the those headers are. In other words, we can troubleshoot Netlify but troubleshooting the CSP itself isn’t covered by the scope of our technical support here.

Other people here may be able to troubleshoot the CSP itself though so the question is definitely still welcome here. I just wanted to explain what is and is not covered by the support team.

1 Like