Skip to content

CSP and Network Allowlist

Last updated: February 18, 2026

This page provides Content Security Policy (CSP) and network allowlist guidance for organizations integrating Cybexo CMP.

Security teams should validate CSP and outbound network policies before production rollout.

Typical Cybexo endpoints:

  • https://cmp.cybexo.com
    CMP loader script, banner assets, static resources.
  • https://api.cybexo.io
    Consent API, configuration retrieval, consent state synchronization.

If additional endpoints are introduced (for example regional endpoints), they will be documented prior to release.

The following example should be adjusted to match your organization’s baseline CSP policy.

Content-Security-Policy:
script-src 'self' https://cmp.cybexo.com;
connect-src 'self' https://api.cybexo.io https://cmp.cybexo.com;
img-src 'self' data: https://cmp.cybexo.com;
style-src 'self' 'unsafe-inline' https://cmp.cybexo.com;
frame-src 'self';
  • 'unsafe-inline' may be required depending on site configuration.
    Organizations with strict CSP policies should test before production rollout.
  • If using nonce- or hash-based CSP enforcement, ensure CMP loader injection is compatible with your policy.

If Google Tag Manager, gtag.js, or Google Ads/Analytics are used, your CSP must include required Google domains according to your tag architecture.

Typical Google domains may include:

  • https://www.googletagmanager.com
  • https://www.google-analytics.com
  • https://www.googleadservices.com
  • https://pagead2.googlesyndication.com

Cybexo CMP does not require these domains directly, but Google tags do.

Refer to Google’s official documentation for required CSP directives.

After applying CSP restrictions:

  1. Open browser developer tools.
  2. Confirm there are no CSP violations in the console.
  3. Confirm:
    • CMP loader (cmp.cybexo.com) loads successfully.
    • API calls (api.cybexo.io) return HTTP 2xx.
    • Banner displays correctly.
    • Consent updates trigger as expected.
  4. Validate consent mode using:
    • Tag Assistant
    • Cybexo Debug Tool
  • Protocol: HTTPS only
  • Port: 443
  • Fixed IP allowlists: Not applicable

Cybexo CMP services are delivered via globally distributed infrastructure. Fixed IP ranges are not guaranteed and should not be relied upon for firewall allowlisting.

Organizations requiring IP-based controls should allowlist domains instead of IP addresses.