On this page:
This page shows you how to make configurations to enable CSP, so your application is compatible with Browser RUM.
To enable CSP for instrumented applications, you add the following required directives in the
In certain cases, you are also required to use the following directives:
script-src directive specifies the location of
adrum-ext.js. By default,
adrum-ext.js is loaded from our content delivery network (CDN) at
cdn.appdynamics.com. The example below shows how you might use the
To measure first-byte time accurately, we ask customers to include the following line at the top of pages:
window["adrum-start-time"] = new Date().getTime();
For this line to be read, you also need to set the
script-src directive to 'unsafe-inline' as shown here:
connect-srcdirective specifies the location where beacons are sent. If you are using the SaaS-based EUM, you might use something like the following:
If you are using on-prem EUM, you would have
connect-src point to your EUM Server.
For cross-domain sessions, we load
adrum-xd.html into an iframe. By default, this is loaded from our CDN, so you need to have
child-src specify a CDN as shown below.
adrum-xd.html is hosted locally, you would use the
frame-ancestors directives in the following way:
img-src directive to specify the beacon location as shown in the example below.
Content-Security-Policy header loads the
adrum files from our CDN and then sends beacons to our SaaS-based EUM.
Content-Security-Policy: connect-src 'self' col.eum-appdynamics.com; script-src 'unsafe-inline' cdn.appdynamics.com; img-src cdn.appdynamics.com; child-src cdn.appdynamics.com