CSP for HubSpot
crmmarketingUsing HubSpot with Content Security Policy
Hubspot is a major CRM with many features. As such, is has multiple different domains (used for tracking and various marketing features), which can cause a great challenge when trying to integrate a CSP (Content-Security-Policy) to a site using Hubspot. We suggest adding all the various directives listed below - even if they are not currently used by your site - it's better to add in advance, in order to ensure easy integration of new abilities with your CSP.
Allow these directives in your CSP, to support HubSpot in your Content Security Policy:
script-src https://js.hs-scripts.com https://js.hsleadflows.net https://js.hs-banner.com https://js.hsadspixel.net https://js.hubspotfeedback.com https://js.usemessages.com https://js.hs-analytics.net https://js.hscollectedforms.net https://js.hsforms.net https://js-na1.hs-scripts.com https://forms.hsforms.com; style-src 'unsafe-inline'; frame-src *.hubspot.com forms.hsforms.com js.hsadspixel.net js.hscollectedforms.net js.usemessages.com; child-src app.hubspot.com forms.hsforms.com js.hsadspixel.net js.hscollectedforms.net js.usemessages.com; img-src *.hubspot.com cdn2.hubspot.net forms.hsforms.com; font-src data:; connect-src *.hubspot.com api.hubapi.com js.usemessages.com js.hsleadflows.net js.hs-banner.com js.hubspotfeedback.com js.hsadspixel.net js.hs-analytics.net js.hs-scripts.com forms.hsforms.com; form-action forms.hsforms.com forms.hubspot.com;
The main domains used by HubSpot are:
hubspot.com hubapi.com hsleadflows.net usemessages.com hs-banner.com hubspotfeedback.com hsadspixel.net hs-analytics.net hs-scripts.com hubspot.net hscollectedforms.net hsforms.net hsforms.com
Sources:
Using HubSpot Marketing with Content Security Policy(Offical Docs)RapidSec CSP Generator(RapidSec Data Network)Example Content-Security-Policy violations / reports:
Using the above CSP package, will fix these errors that you may be seeing in your console logs:
script-src/script-src-elem/script-src-attrviolations
Refused to load the script 'https://js.hsleadflows.net/leadflows.js' because it violates the following Content Security Policy directive: "script-src 'self' 'report-sample'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
If you see inline style errors, you need to add SHA-256 hashes / nonces to your CSP with RapidSec:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'report-sample'". Either the 'unsafe-inline' keyword, a hash ('sha256-RFWPLDbv2BY+rCkDzsE+0fr8ylGr2R2faWMhq4lfEQc='), or a nonce ('nonce-...') is required to enable inline execution.If you see inline eval() errors, RapidSec will generate your CSP with the specific content of the errors:
Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'report-sample'".
style-src/style-src-elem/style-src-attrviolations
If you see inline style errors, you need to add SHA-256 hashes / nonces to your CSP with RapidSec:
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'report-sample'". Either the 'unsafe-inline' keyword, a hash ('sha256-RFWPLDbv2BY+rCkDzsE+0fr8ylGr2R2faWMhq4lfEQc='), or a nonce ('nonce-...') is required to enable inline execution.img-srcviolations
Refused to load the image 'hubspot.com' because it violates the following Content Security Policy directive: "img-src 'self'".
frame-srcviolations
[Report Only] Refused to frame 'hubspot.com' because it violates the following Content Security Policy directive: "frame-src 'self'".
form-actionviolations
[Report Only] Refused to send form data to 'hubspot.com' because it violates the following Content Security Policy directive: "form-action 'self'".
connect-srcviolations
[Report Only] Refused to connect to 'hubspot.com' because it violates the following Content Security Policy directive: "connect-src 'self'"