How to Allow the Visual Visitor Script in Your Content Security Policy (CSP)

How to Allow the Visual Visitor Script in Your Content Security Policy (CSP)

A Content Security Policy (CSP) is a browser security feature that restricts which external scripts and resources can load on your website. If your site enforces a strict CSP and the Visual Visitor domain is not whitelisted, the tracking script will be blocked and no visitors will be identified.

Symptoms of a CSP block

  1.  Zero identified visitors despite confirmed script installation.
  2. Browser console error: Refused to load script from [visualvisitor domain] because it violates the following Content Security Policy directive: script-src...
  3. The Visual Visitor script appears in your source code but does not load in the Network tab.


How to allow the Visual Visitor script

Add the Visual Visitor script domain to your site's CSP script-src and connect-src directives.

Notes
Contact Visual Visitor Support for the exact domain(s) to whitelist, as these may vary based on your account type.

The whitelist entry typically looks like: 

script-src 'self' https://[visualvisitor-script-domain];
connect-src 'self' https://[visualvisitor-api-domain]; 


CSP directives are typically set in one of these locations:

 

  1. An HTTP response header on your web server (nginx, Apache, AWS CloudFront, etc.).  
  2. A meta http-equiv Content-Security-Policy tag in your HTML head.
  3. Your CDN or WAF (Web Application Firewall) configuration panel.


CSP and iframe embedding

If you are embedding the Visual Visitor dashboard inside a third-party reporting tool (e.g., Agency Analytics) using an iframe, you may also need to add Visual Visitor's domain to the frame-ancestors CSP directive.

Notes
Contact Visual Visitor Support to get the correct directive value.

 



    • Related Articles

    • Allowing Our Script in Your Content Security

      If your website uses a Content Security Policy (CSP), you may need to explicitly allow the Visual Visitor script to load. How to Allow the Script Log in to your website hosting platform, CMS, or security tool (for example: Cloudflare, WordPress ...

    • Why Is My Tracking Script Blocked by a Cookie Consent Banner?

      Need Help Verifying Your Consent Setup? If you would like our team to review whether your cookie consent manager is configured correctly with Visual Visitor, please contact support@visualvisitor.com for assistance. The Visual Visitor cookie consent ...

    • Why Is My Tracking Script Not Firing After Installation? (Cache and GTM Publishing Issues)

      If you have installed the Visual Visitor tracking script but your dashboard is showing zero visitors, one of the following issues is most likely the cause: ยท Cache not cleared: WordPress sites using caching plugins (WP Rocket, LiteSpeed, W3 Total ...

    • Why Did My Identified Visitor Count Drop Suddenly?

      A sudden or significant drop in identified visitors (without a corresponding drop in website traffic) is typically caused by a change to your website configuration, tracking setup, or cookie consent settings. In most cases, this is related to the ...

    • Privacy Policy When Using Visual Visitor's Cookie Consent Banner

      Visual Visitor Privacy Policy with Cookie Banner Installation When using Visual Visitor's Cookie Consent Banner, we provide the following Privacy Policy if you do not have your own. It covers the Visual Visitor script installed on the website. All ...