Modify Content Security Policy for RUM

Content Security Policy (CSP) is a standard that's designed to prevent cross-site scripting and other code-injection attacks. This means, if you have a Content Security Policy in place, it might disallow inline JavaScript codes and prevent the browser from sending monitoring data to the Dynatrace Server.

Insertion methods

CSP rules can be set via the meta tag or the HTTP header. In general, the CSP rules on a page must allow loading and executing of the Real User Monitoring (RUM) JavaScript tag.

Auto injection

If the report URL has been configured to send the monitoring signals to a beacon forwarder, add this URL to your Content Security Policy rules.

  • If you're using the Inline code and Code snippet insertion methods, ensure that unsafe inline is enabled.
  • Support for nonce and hashes is unavailable at this time.

Manual injection

The monitoring signals in this case are always sent to the beacon forwarder. Therefore, ensure that the URL to which this data is sent is added to the CSP rules.

  • If you're using the Inline code and Code snippet insertion methods, ensure that unsafe inline is enabled.
  • If you're using the JavaScript tag and OneAgent JavaScript tag insertion methods
    • For SaaS: scripts from Dynatrace must be allowed.
    • For Managed: scripts from the proxy or the CDN that the customer sets up must be allowed.
  • Nonce can be added manually to the script tag and the CSP header must be set up accordingly.