Is the Piwik PRO JavaScript Tracker CSP (Content Security Policy) compatible and how do I set it up?

Yes, Piwik PRO Analytics module can be used with CSP. Yet, you can’t use the standard tracking code generated by the Tracking Code Generator in the Piwik PRO UI as it is not allowed to use inline scripts when having CSP enabled. CSP is a security concept to prevent cross-site scripting (XSS) attacks as well as related attacks.

Specifying Content Security Policy is a common way to secure web applications. This mechanism allows specifying which scripts and styles can execute on the page. It can be done either by adding a Content-Security-Policy header or an appropriate meta tag. It is common to allow only scripts and styles that were received from known domains or ones that have a special nonce attribute. Right now, unfortunately, it doesn’t work for synchronous tags (changing it is in progress). It may not work for the template tags so we are suggesting using custom tags with CSP.

Was this article helpful?

of people found this helpful

Technical Support

If you have any questions, drop us a line at support_SPC@piwik_SPC.pro.

We’re happy to help!