Understanding CSP and CORS for Kapa
When integrating Kapa into your website, you may encounter security mechanisms like Content Security Policy (CSP) and Cross-Origin Resource Sharing (CORS).
CORS settings (in Kapa) control who can access Kapa's services, while CSP settings (on your website) control what external resources your site can use. Both need to be configured correctly for Kapa widgets to function properly.
CORS
CORS is a security mechanism that controls which domains can access resources from Kapa's servers.
How CORS affects your Kapa integration
When your website (e.g., yourdomain.com
) makes requests to Kapa's services
(e.g., proxy.kapa.ai
), these are considered "cross-origin" requests. Without
proper CORS configuration:
- The browser blocks these requests
- Your Kapa Website Widget won't function
- Users see CORS errors in their browser console
Configuring CORS for Kapa
You don't need to modify your own server's CORS settings. Instead:
- In the Kapa platform, add your domain to the enabled domains list when configuring your integration
- This tells Kapa's servers to allow requests from your domain
- This prevents CORS errors in your integration
CSP
CSP is a security feature that you configure on your website to specify which external resources your site is allowed to use.
How CSP affects your Kapa integration
When you add Kapa widgets to your site, your CSP needs to allow:
- Scripts loading from Kapa's domains
- API connections to Kapa's services
- Other Kapa-related resources
Without proper CSP configuration:
- Scripts from Kapa won't load
- API requests to Kapa services are blocked
- Users see CSP violation errors in their browser console
Configuring CSP for Kapa
If your website has a Content Security Policy enabled, whitelist these domains:
http://widget.kapa.ai
- For loading the widget scripthttps://proxy.kapa.ai
- Proxy for widget functionalityhttps://kapa-widget-proxy-la7dkmplpq-uc.a.run.app
- A fallback for the main proxyhttps://www.google.com/recaptcha
- For reCAPTCHA functionalityhttps://metrics.kapa.ai
- For optional analytics and metrics collection
Add these domains to your CSP directives:
<meta
http-equiv="Content-Security-Policy"
content="
script-src 'self' widget.kapa.ai www.google.com;
connect-src 'self' proxy.kapa.ai kapa-widget-proxy-la7dkmplpq-uc.a.run.app metrics.kapa.ai;
frame-src 'self' www.google.com;
"
/>
Or via HTTP headers:
Content-Security-Policy: script-src 'self' widget.kapa.ai www.google.com; connect-src 'self' proxy.kapa.ai kapa-widget-proxy-la7dkmplpq-uc.a.run.app metrics.kapa.ai; frame-src 'self' www.google.com;