CSP Configuration

If your site uses Content Security Policy (CSP) headers, you need to allow CookieBoss domains for the consent script to work.

Required CSP directives

Add these domains to your CSP header:

DirectiveDomainPurpose
script-srccdn.cookieboss.ioLoads the consent script
connect-srca.cookieboss.ioSends analytics beacons
style-src'unsafe-inline'Consent banner styles (injected via Shadow DOM)

Example CSP header

HTTP header text 
Content-Security-Policy:
default-src 'self';
script-src 'self' https://cdn.cookieboss.io;
connect-src 'self' https://a.cookieboss.io;
style-src 'self' 'unsafe-inline';

Nginx

nginx.conf nginx 
add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://cdn.cookieboss.io; connect-src 'self' https://a.cookieboss.io; style-src 'self' 'unsafe-inline';";

Apache

.htaccess apache 
Header set Content-Security-Policy "default-src 'self'; script-src 'self' https://cdn.cookieboss.io; connect-src 'self' https://a.cookieboss.io; style-src 'self' 'unsafe-inline';"

Next.js

next.config.js javascript 
const csp = [
"default-src 'self'",
"script-src 'self' https://cdn.cookieboss.io",
"connect-src 'self' https://a.cookieboss.io",
"style-src 'self' 'unsafe-inline'",
].join('; ');

module.exports = {
async headers() {
  return [{
    source: '/(.*)',
    headers: [{ key: 'Content-Security-Policy', value: csp }],
  }];
},
};

Cloudflare Workers

Cloudflare Worker typescript 
const csp = [
"default-src 'self'",
"script-src 'self' https://cdn.cookieboss.io",
"connect-src 'self' https://a.cookieboss.io",
"style-src 'self' 'unsafe-inline'",
].join('; ');

// In your worker's fetch handler:
response.headers.set('Content-Security-Policy', csp);

Shadow DOM and styles

The CookieBoss consent banner renders inside a Shadow DOM, which provides CSS isolation. However, the styles are injected inline within the shadow root, so style-src 'unsafe-inline' is required. This is a common pattern for widget scripts and does not affect the security of your main document styles.

Don't forget connect-src

The connect-src directive is easy to miss. Without it, consent analytics beacons to a.cookieboss.io will be silently blocked, and you won’t see analytics data in your dashboard.