Skip to main content
Contact Support

Information about how Formstack uses CSP

Ryan J.

Formstack Analytics is a feature that helps you to see how your form is performing.


 

In order to collect this data, some information is sent to a custom URL based on the actions someone filling your form does.
 
What changes now, is that Formstack is changing the URL for this data, and this URL will not have your custom subdomain anymore, we are adopting a custom subdomain for this endpoint. This can only impact you if you have our forms embedded in your website and also have your own Content Security Policy headers.
 
The only action you should take is to include this new endpoint in your CSP headers.
 
The new endpoint should be "form-analytics.formstack.com" or even "*.formstack.com" if you want to make sure any future changes like this are included.
 
If you want more details about all possible sources you may need to have in order to your form work right when using your own CSP headers, the following content will help you to understand all you need to set your embedded forms successfully.
 
 

Information about how Formstack uses CSP

 

When embedding Formstack forms on websites with Content Security Policy (CSP) enabled, you'll need to configure your CSP to allow specific resources that Forms V4 requires to function properly. This guide will help you update your CSP configuration to ensure your embedded forms work correctly while maintaining your site's security.

Required CSP Directives

 

Add the following directives to your site's Content Security Policy. Replace [ACCOUNT_ALIAS] with your Formstack account subdomain.

Essential Domains

 

default-src 'self';

script-src 'self' https://[ACCOUNT_ALIAS].formstack.com https://ajax.googleapis.com https://code.jquery.com;

style-src 'self' https://[ACCOUNT_ALIAS].formstack.com https://fonts.googleapis.com;

frame-src 'self' https://[ACCOUNT_ALIAS].formstack.com;

img-src 'self' https://[ACCOUNT_ALIAS].formstack.com data:;

font-src 'self' https://fonts.gstatic.com;

connect-src 'self' https://[ACCOUNT_ALIAS].formstack.com;

Additional Features

 

If you're using additional Formstack features, you may need to allow these domains:

Payment Processing (Stripe)

script-src: https://js.stripe.com

frame-src: https://js.stripe.com

File Upload Preview

img-src: https://*.amazonaws.com

Form Analytics Integration

connect-src: https://form-analytics.formstack.com

Google Analytics Integration

script-src: https://www.googletagmanager.com

 

Common Issues and Solutions

 

Form Not Loading

 

If your form isn't loading, check your browser's console for CSP violation messages. These messages will indicate which resources are being blocked. Common patterns:

 

Refused to load the script 'https://[ACCOUNT_ALIAS].formstack.com/...' because it violates the following Content Security Policy directive...

Images Not Displaying

 

If images in your form (such as logos or field icons) aren't displaying, ensure your img-src directive includes both the Formstack domain and data: for inline images:

 

img-src 'self' https://[ACCOUNT_ALIAS].formstack.com data:;



Related articles