If your app doesn't send a CSP header, skip this section — the widget works out of the box. If you do, add the directives below so the SDK can reach Conclude.
Required directives
| Directive | Value | Required by |
|---|---|---|
connect-src |
https://www.conclude.fyi |
All SDKs — API requests |
img-src |
https://www.conclude.fyi blob: data: |
All SDKs — screenshots & logos |
media-src |
https://www.conclude.fyi blob: |
Recording mode (playback) |
script-src |
https://www.conclude.fyi |
Script tag users only |
frame-src |
https://www.conclude.fyi |
iframe embed users only |
React SDK
Only needs connect-src, img-src, and (if using recording mode) media-src. No frame-src or script-src required — the SDK is installed from npm and renders natively.
Full CSP header — React SDK
HTTP header:
Content-Security-Policy: connect-src 'self' https://www.conclude.fyi; img-src 'self' https://www.conclude.fyi blob: data:; media-src 'self' https://www.conclude.fyi blob:;
Next.js (next.config.ts):
async headers() {
return [{
source: "/(.*)",
headers: [{
key: "Content-Security-Policy",
value: [
"connect-src 'self' https://www.conclude.fyi",
"img-src 'self' https://www.conclude.fyi blob: data:",
"media-src 'self' https://www.conclude.fyi blob:",
].join("; "),
}],
}];
}
Meta tag:
<meta http-equiv="Content-Security-Policy" content="connect-src 'self' https://www.conclude.fyi; img-src 'self' https://www.conclude.fyi blob: data:; media-src 'self' https://www.conclude.fyi blob:;">
Script tag / iframe users
In addition to the React SDK directives, also add script-src (to load conclude-widget.js) and frame-src (for the widget iframe overlay):
Content-Security-Policy:
connect-src 'self' https://www.conclude.fyi;
script-src 'self' https://www.conclude.fyi;
frame-src 'self' https://www.conclude.fyi;
img-src 'self' https://www.conclude.fyi blob: data:;
media-src 'self' https://www.conclude.fyi blob:;
Symptoms when CSP is blocking
- Network tab:
net::ERR_BLOCKED_BY_CSPon fetches towww.conclude.fyi. - Console: "Refused to connect to 'https://www.conclude.fyi/...' because it violates the Content Security Policy directive: 'connect-src ...'"
- Script tag: "Refused to frame www.conclude.fyi" → missing
frame-src. - Screenshots broken: missing
img-src blob:ordata:. - Recording playback broken: missing
media-src blob:.
Local development
If you're testing against localhost:3000, include both:
connect-src 'self' http://localhost:3000 https://www.conclude.fyi