Captain Compliance Help Center
Requests
App Login
Superhero Support Starts Here!
In this article
Required Origins
Home
Consent Management
Setup & Deployment

How to Configure a Content Security Policy (CSP) for Captain Compliance

Edited

Content Security Policy (CSP) is an HTTP response header that tells browsers which external origins are permitted to load resources on your site. CSP is opt-in — if your site does not currently send a Content-Security-Policy header, no configuration is needed and Captain Compliance will load without restriction.

If you do have a CSP in place, the directives must explicitly allow Captain Compliance origins. Without them, browsers may block Captain Compliance scripts, API calls, and geolocation lookups, causing the consent banner to fail silently or throw console errors.

This article lists every origin required by Captain Compliance.

Required Origins

Origin

Purpose

*.cptn.co

Loads the CC script bundle, posts consent records, pulls banner styles and assets.

cc-platform-api-prod.fly.dev

Temporary API endpoint handling consent record writes and configuration fetch during infrastructure migration. It will be retired once the migration to *.cptn.co is complete. Monitor Captain Compliance release notes for a deprecation date and remove this entry at that time.

api.ipify.org

Returns visitor public IP as JSON for geolocation jurisdiction detection alongside Cloudflare headers.