Skip to main content
All CollectionsSecurity & PrivacySecurity
Using Intercom with Content Security Policy
Using Intercom with Content Security Policy

All Intercom domains you'll need to allow in your CSP or firewall.

Thibault Candebat avatar
Written by Thibault Candebat
Updated over 4 months ago

Content Security Policy (CSP) is a security mechanism that helps protect against content injection attacks, such as Cross Site Scripting (XSS).

Intercom fully supports Google strict CSPv3:

Content-Security-Policy:
  object-src 'none';
  script-src 'nonce-{random}' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:;
  base-uri 'self';

If you are already serving this policy from your website, you don't need to apply any changes. Please also note that you will need to include some nonce-source(s) for some scripts being loaded by the Messenger. You can refer to this tutorial for any help regarding the handling of nonces.

If you prefer to rely on source allowlisting (for example if you can't use CSPv2 or v3 features) here are relevant directives you'll need to use:

script-src:
https://app.intercom.io
https://widget.intercom.io
https://js.intercomcdn.com

If you're applying other CSP directives, you'll need to add the following entries for Intercom to function correctly:

connect-src:
https://via.intercom.io
https://api.intercom.io
https://api.au.intercom.io
https://api.eu.intercom.io
https://api-iam.intercom.io
https://api-iam.eu.intercom.io
https://api-iam.au.intercom.io
https://api-ping.intercom.io
https://nexus-websocket-a.intercom.io
wss://nexus-websocket-a.intercom.io
https://nexus-websocket-b.intercom.io
wss://nexus-websocket-b.intercom.io
https://nexus-europe-websocket.intercom.io
wss://nexus-europe-websocket.intercom.io
https://nexus-australia-websocket.intercom.io
wss://nexus-australia-websocket.intercom.io
https://uploads.intercomcdn.com
https://uploads.intercomcdn.eu
https://uploads.au.intercomcdn.com
https://uploads.eu.intercomcdn.com
https://uploads.intercomusercontent.com

child-src:
https://intercom-sheets.com
https://www.intercom-reporting.com
https://www.youtube.com
https://player.vimeo.com
https://fast.wistia.net

font-src:
https://js.intercomcdn.com
https://fonts.intercomcdn.com

form-action:
https://intercom.help
https://api-iam.intercom.io
https://api-iam.eu.intercom.io
https://api-iam.au.intercom.io

media-src:
https://js.intercomcdn.com
https://downloads.intercomcdn.com
https://downloads.intercomcdn.eu
https://downloads.au.intercomcdn.com

img-src:
blob:
data:
https://js.intercomcdn.com
https://static.intercomassets.com
https://downloads.intercomcdn.com
https://downloads.intercomcdn.eu
https://downloads.au.intercomcdn.com
https://uploads.intercomusercontent.com
https://gifs.intercomcdn.com
https://video-messages.intercomcdn.com
https://messenger-apps.intercom.io
https://messenger-apps.eu.intercom.io
https://messenger-apps.au.intercom.io
https://*.intercom-attachments-1.com
https://*.intercom-attachments.eu
https://*.au.intercom-attachments.com
https://*.intercom-attachments-2.com
https://*.intercom-attachments-3.com
https://*.intercom-attachments-4.com
https://*.intercom-attachments-5.com
https://*.intercom-attachments-6.com
https://*.intercom-attachments-7.com
https://*.intercom-attachments-8.com
https://*.intercom-attachments-9.com
https://static.intercomassets.eu
https://static.au.intercomassets.com

style-src:
'unsafe-inline'


Also, if your service supports CSPv3 only, you'll need to use two separate entries for frame-src and worker-src in place of child-src, as this keyword is being deprecated.

Note: The above entries are required for Intercom's functionality to work properly in your app. Some of the integrations in our App Store may require you to add other entries to your CSP as well. If that's the case, you should see an error message in your browser's developer's console indicating that.

Firewalls

Many of the above domains will also need to be allowed in your firewall settings to allow correct functioning of Intercom.


💡Tip

Need more help? Get support from our Community Forum
Find answers and get help from Intercom Support and Community Experts


Did this answer your question?