CSP and Network Allowlist
Last updated: February 18, 2026
This page provides Content Security Policy (CSP) and network allowlist guidance for organizations integrating Cybexo CMP.
Security teams should validate CSP and outbound network policies before production rollout.
1. Required Domains
Section titled “1. Required Domains”Typical Cybexo endpoints:
https://cmp.cybexo.com
CMP loader script, banner assets, static resources.https://api.cybexo.io
Consent API, configuration retrieval, consent state synchronization.
If additional endpoints are introduced (for example regional endpoints), they will be documented prior to release.
2. Example CSP Snippet
Section titled “2. Example CSP Snippet”The following example should be adjusted to match your organization’s baseline CSP policy.
Content-Security-Policy: script-src 'self' https://cmp.cybexo.com; connect-src 'self' https://api.cybexo.io https://cmp.cybexo.com; img-src 'self' data: https://cmp.cybexo.com; style-src 'self' 'unsafe-inline' https://cmp.cybexo.com; frame-src 'self';'unsafe-inline'may be required depending on site configuration.
Organizations with strict CSP policies should test before production rollout.- If using nonce- or hash-based CSP enforcement, ensure CMP loader injection is compatible with your policy.
3. GTM and Google Dependencies
Section titled “3. GTM and Google Dependencies”If Google Tag Manager, gtag.js, or Google Ads/Analytics are used, your CSP must include required Google domains according to your tag architecture.
Typical Google domains may include:
https://www.googletagmanager.comhttps://www.google-analytics.comhttps://www.googleadservices.comhttps://pagead2.googlesyndication.com
Cybexo CMP does not require these domains directly, but Google tags do.
Refer to Google’s official documentation for required CSP directives.
4. Validation Steps
Section titled “4. Validation Steps”After applying CSP restrictions:
- Open browser developer tools.
- Confirm there are no CSP violations in the console.
- Confirm:
- CMP loader (
cmp.cybexo.com) loads successfully. - API calls (
api.cybexo.io) return HTTP 2xx. - Banner displays correctly.
- Consent updates trigger as expected.
- CMP loader (
- Validate consent mode using:
- Tag Assistant
- Cybexo Debug Tool
5. Network Policy
Section titled “5. Network Policy”- Protocol: HTTPS only
- Port: 443
- Fixed IP allowlists: Not applicable
Cybexo CMP services are delivered via globally distributed infrastructure. Fixed IP ranges are not guaranteed and should not be relied upon for firewall allowlisting.
Organizations requiring IP-based controls should allowlist domains instead of IP addresses.