> ## Documentation Index
> Fetch the complete documentation index at: https://docs.gleap.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Content Security Policy (CSP)

The Content-Security-Policy HTTP response header helps you reduce XSS risks on modern browsers by declaring which dynamic resources are allowed to load.

If you are making use of CSP, you must add the following directives to your CSP header:

```javascript theme={null}
frame-src 'self' https://*.gleap.io;
```

```javascript theme={null}
script-src 'self' https://*.gleap.io;
```

```javascript theme={null}
style-src 'self' 'unsafe-inline' https://*.gleap.io;
```

```javascript theme={null}
font-src 'self' https://*.gleap.io data:;
```

```javascript theme={null}
connect-src 'self' https://*.gleap.io wss://ws.gleap.io https://*.pusher.com wss://*.pusher.com;
```

```javascript theme={null}
media-src 'self' https://*.gleap.io;
```

```javascript theme={null}
img-src 'self' https://*.gleap.io data: blob:;
```

<Info>
  We strongly recommend using the `https://*.gleap.io` wildcard. The SDK contacts several Gleap subdomains (`api.gleap.io`, `ws.gleap.io`, `messenger-app.gleap.io`, `outboundmedia.gleap.io`, `app.gleap.io`, `js.gleap.io`), and the list may grow as we ship new features.
</Info>

### Why Pusher is in `connect-src`

The Gleap messenger uses [Pusher](https://pusher.com) for realtime delivery of conversations and notifications. Pusher routes to a regional cluster, so the exact host depends on where your workspace lives:

* EU workspaces: `wss://ws-eu.pusher.com` and `https://sockjs-eu.pusher.com`
* US workspaces: `wss://ws-mt1.pusher.com` and `https://sockjs-mt1.pusher.com`
* Other regions follow the same `ws-{cluster}.pusher.com` / `sockjs-{cluster}.pusher.com` pattern.

To stay region-portable, allow the wildcards `https://*.pusher.com` and `wss://*.pusher.com` in `connect-src` rather than pinning a single cluster.

### Strict CSPs without wildcards

If your security policy forbids wildcards, here is the full explicit allowlist the SDK uses today:

```javascript theme={null}
// Gleap
https://api.gleap.io
wss://ws.gleap.io
https://js.gleap.io
https://app.gleap.io
https://messenger-app.gleap.io
https://outboundmedia.gleap.io

// Pusher (use the cluster assigned to your workspace)
wss://ws-{cluster}.pusher.com
https://sockjs-{cluster}.pusher.com
```

<Warning>
  This explicit list can change without notice as we add features or migrate infrastructure. The `*.gleap.io` and `*.pusher.com` wildcards are the safest choice.
</Warning>

Depending on your setup you might need to do some further customizations. Please check the browser console for any CSP errors and add the reported origins to the matching directive.