Skip to main content
Login

Configure CSP and Network Allowlisting for the Siteimprove Sitecore Plugin

Modified on: Mon, 15 Jun, 2026 at 7:18 PM

Summary

The Siteimprove plugin loads scripts and API calls from Siteimprove domains. Without the correct Content Security Policy (CSP) headers, the browser blocks these requests, causing the plugin not to load. This step applies the required CSP patch to “web.config.”

Environment / Applicability

  • Sitecore SitecoreAI — cloud deployment (recommended)
  • Sitecore SitecoreAI — local Docker development
  • Sitecore XM/XP (on-premises / PaaS)
  • Content Security Policy and Network Allowlist

Steps

Configure CSP

The Siteimprove plugin loads scripts and API calls from Siteimprove domains. Without the correct Content Security Policy (CSP) headers, the browser blocks these requests, causing the plugin not to load. This step applies the required CSP patch to “web.config.”

Required CSP Header

The following can be added to the CSP custom header in order to enable the module:

script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.siteimprove.net/;

connect-src 'self' https://*.siteimprove.com/;

frame-src 'self' https://*.siteimprove.com/;

 

Add the following Content-Security-Policy header under “<location path="sitecore"> > <system.webServer> > <httpProtocol> > <customHeaders>” in “web.config” (based on the default value of the setting in a clean Sitecore 10.4 installation):

<add name="Content-Security-Policy" value="

default-src 'self' 'unsafe-inline' 'unsafe-eval';

script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.siteimprove.net/;

img-src 'self' data: https://s.gravatar.com https://*.wp.com https://cdn.auth0.com/avatars;

style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;

font-src 'self' https://fonts.gstatic.com;

connect-src 'self' https://*.siteimprove.com/;

frame-src 'self' https://*.siteimprove.com/;

upgrade-insecure-requests;

block-all-mixed-content;

" />

 

For the full list of Siteimprove domains (including EU/US data centers), see Section 8.

Applying the Patch via XDT

“web.config” cannot be edited directly at runtime on SitecoreAI. Use an XDT (XML Document Transform) patch.

Sitecore SitecoreAI — cloud deployment (recommended)

Create “/xdts/web.config.xdt” in your CM customization project:

<?xml version="1.0" encoding="utf-8"?>

<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">

  <location path="sitecore">

    <system.webServer>

      <httpProtocol>

        <customHeaders>

          <add name="Content-Security-Policy"

              value="default-src 'self' 'unsafe-inline' 'unsafe-eval';

script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.siteimprove.net/;

img-src 'self' data: https://s.gravatar.com https://*.wp.com https://cdn.auth0.com/avatars;

style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;

font-src 'self' https://fonts.gstatic.com;

connect-src 'self' https://*.siteimprove.com/;

frame-src 'self' https://*.siteimprove.com/;

upgrade-insecure-requests;

block-all-mixed-content;"

                 xdt:Transform="Replace"

                 xdt:Locator="Match(name)" />

        </customHeaders>

      </httpProtocol>

    </system.webServer>

  </location>

</configuration>

 

Register the transform in “xmcloud.build.json:”

"transforms": [

  {

    "xdtPath": "/xdts/web.config.xdt",

    "targetPath": "/web.config"

  }

]

 

A cloud redeployment is required for the change to take effect.

Sitecore SitecoreAI — local Docker development

Use the SITECORE_DEVELOPMENT_PATCHES mechanism to avoid rebuilding the CM image:

Create docker/build/tools/SiteimproveCSP/Web.config.xdt with the XDT content above.

Build a custom tools image (docker/build/tools/Dockerfile) that copies the patch folder.

Add SiteimproveCSP to SITECORE_DEVELOPMENT_PATCHES in docker-compose.override.yml.

Restart the container (no rebuild needed) for the patch to apply.

Sitecore XM/XP (on-premises / PaaS)

Apply the Content-Security-Policy header directly in “web.config” under “<location path="sitecore">.” Standard XDT tooling can be used to manage environment-specific transforms in the deployment pipeline.

Content Security Policy and Network Allowlist

Ensure CSP and outbound connectivity allow Siteimprove domains.

Wildcard form (when allowed):

*.siteimprove.com

*.siteimproveanalytics.com

*.siteimprove.net

*.siteimproveanalytics.io

Specific domains commonly required:

id.siteimprove.com (legacy login)

identity.siteimprove.com (current login)

sso2.siteimprove.com

my2.siteimprove.com

help.siteimprove.com

cdn.siteimprove.net

EU data center:

api.siteimprove.com

contentassistant.eu.siteimprove.com

id.eu.siteimprove.com

ap.eu.siteimprove.com

US data center:

api.us.siteimprove.com

contentassistant.us.siteimprove.com

id.us.siteimprove.com

ap.us.siteimprove.com

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.