Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.gleap.io/llms.txt

Use this file to discover all available pages before exploring further.

The Content-Security-Policy HTTP response header helps you reduce XSS risks on modern browsers by declaring which dynamic resources are allowed to load. If you are making use of CSP, you must add the following directives to your CSP header: 
frame-src 'self' https://*.gleap.io;

script-src 'self' https://*.gleap.io;

style-src 'self' 'unsafe-inline' https://*.gleap.io;

font-src 'self' https://*.gleap.io data:;

connect-src 'self' https://*.gleap.io wss://ws.gleap.io https://*.pusher.com wss://*.pusher.com;

media-src 'self' https://*.gleap.io;

img-src 'self' https://*.gleap.io data: blob:;
We strongly recommend using the https://*.gleap.io wildcard. The SDK contacts several Gleap subdomains (api.gleap.io, ws.gleap.io, messenger-app.gleap.io, outboundmedia.gleap.io, app.gleap.io, js.gleap.io), and the list may grow as we ship new features.

Why Pusher is in connect-src

The Gleap messenger uses Pusher for realtime delivery of conversations and notifications. Pusher routes to a regional cluster, so the exact host depends on where your workspace lives:
  • EU workspaces: wss://ws-eu.pusher.com and https://sockjs-eu.pusher.com
  • US workspaces: wss://ws-mt1.pusher.com and https://sockjs-mt1.pusher.com
  • Other regions follow the same ws-{cluster}.pusher.com / sockjs-{cluster}.pusher.com pattern.
To stay region-portable, allow the wildcards https://*.pusher.com and wss://*.pusher.com in connect-src rather than pinning a single cluster.

Strict CSPs without wildcards

If your security policy forbids wildcards, here is the full explicit allowlist the SDK uses today: 
// Gleap
https://api.gleap.io
wss://ws.gleap.io
https://js.gleap.io
https://app.gleap.io
https://messenger-app.gleap.io
https://outboundmedia.gleap.io

// Pusher (use the cluster assigned to your workspace)
wss://ws-{cluster}.pusher.com
https://sockjs-{cluster}.pusher.com
This explicit list can change without notice as we add features or migrate infrastructure. The *.gleap.io and *.pusher.com wildcards are the safest choice.
Depending on your setup you might need to do some further customizations. Please check the browser console for any CSP errors and add the reported origins to the matching directive.