Configuring Content Security Policy (CSP) for Calcumate

If your site uses Content Security Policy (CSP) to mitigate threats such as cross-site scripting (XSS) and clickjacking, you'll need to allow the Calcumate domains below so the calculator widget can load and operate correctly.

CSP is enforced per-directive, so it's not enough to list our domains in a single place — each domain needs to be added to the directive that matches the type of resource it serves. The table below shows exactly where each domain belongs.

Required allowlist

Directive

Domains to allow

Purpose

script-src

https://*.calcumate.co

Loads the calculator widget bundle

connect-src

https://*.calcumate.co https://optimize.calcumate.co https://r354ovsoac.execute-api.ap-southeast-2.amazonaws.com

API calls for calculator data and packing optimization

img-src

https://*.calcumate.co https://calcumate-calculator-new-production.s3-ap-southeast-2.amazonaws.com https://calcumatev2-attachments-prod.s3-ap-southeast-2.amazonaws.com

Item images, icons, and customer-uploaded attachments

style-src

https://*.calcumate.co

Widget styles

frame-src

https://*.calcumate.co

Embedded calculator frame (if applicable)

If your CSP relies on default-src as a catch-all, adding the domains there will also work — but we recommend per-directive rules for tighter security.

Example CSP header

Here's an example header that allows Calcumate alongside common third-party services:

Content-Security-Policy:
default-src 'self';
script-src  'self' https://*.calcumate.co;
connect-src 'self' https://*.calcumate.co https://optimize.calcumate.co https://r354ovsoac.execute-api.ap-southeast-2.amazonaws.com;
img-src     'self' data: https://*.calcumate.co https://calcumate-calculator-new-production.s3-ap-southeast-2.amazonaws.com https://calcumatev2-attachments-prod.s3-ap-southeast-2.amazonaws.com;
style-src   'self' 'unsafe-inline' https://*.calcumate.co;
frame-src   'self' https://*.calcumate.co;

How to identify a CSP issue

If the calculator stops loading after a CSP change, open your browser's developer console. CSP violations look like this:

Refused to connect to 'https://…' because it violates the following Content Security Policy directive: "connect-src …"

The directive named in the error message tells you exactly where the missing domain needs to be added.

Note: Errors that say ERR_BLOCKED_BY_CLIENT are not CSP-related, they come from browser extensions (ad-blockers, privacy tools) on the visitor's device and aren't something your CSP or our widget can resolve.

Need help?

If you've added these rules and the calculator still isn't loading, send us a screenshot of the console errors and the relevant CSP header from your site, and we'll help diagnose.

PreviousHow to Integrate Calculator Widget in React Native NextLead capture overview

Last updated 1 day ago

Was this helpful?

hashtagRequired allowlist

hashtagExample CSP header

hashtagHow to identify a CSP issue

hashtagNeed help?

Required allowlist

Example CSP header

How to identify a CSP issue

Need help?