BlueConic now supports Content Security Policy (CSP) nonces, allowing you to remove 'unsafe-inline' from your CSP directives while keeping BlueConic fully functional. This is especially valuable for organizations in regulated industries (finance, healthcare, retail) that require stricter security policies.
When a nonce is provided, BlueConic automatically applies it to all scripts and styles it injects into the page — so you don't need to manually manage nonces for individual BlueConic-generated tags.
Before you begin
Before enabling CSP nonces, ensure the following:
You can generate a cryptographically secure nonce on your server.
You can modify your website’s CSP headers.
You can update your webpage to include a JavaScript variable before the BlueConic script loads.
Important: Generate a new nonce for every page request. Reusing a static nonce weakens security.
Set up CSP nonce support
1. Generate a nonce server-side
Generate a cryptographically random nonce value on your server for each page request. This value should be unique per request.
Example nonce value: abc123xyz
2. Set the nonce as a javascript variable
Before the BlueConic tracking script loads on your page, expose the nonce as a JavaScript variable named bcNonce:
html
<script nonce="abc123xyz">
var bcNonce = "abc123xyz";
</script>
Important: This script block itself must include the nonce attribute so your browser allows it to execute.
3. Update your CSP header
Include the nonce value in both your script-src and style-src CSP directives. We also recommend adding 'strict-dynamic' to script-src, which allows BlueConic's dynamically injected scripts to be trusted without requiring individual nonces:
Content-Security-Policy:
default-src 'self';
script-src 'self' https://<your-blueconic-domain> 'nonce-abc123xyz' 'strict-dynamic';
style-src 'self' https://<your-blueconic-domain> 'nonce-abc123xyz';
connect-src 'self' https://<your-blueconic-domain>;
img-src 'self' https://<your-blueconic-domain> data:;
font-src 'self' https://<your-blueconic-domain>;
frame-src 'self' https://<your-blueconic-domain>;
object-src 'none';
base-uri 'self';
form-action 'self';
Replace <your-blueconic-domain> with your BlueConic tenant URL (e.g. , abc.blueconic.net).
Replace <your-blueconic-domain> with your BlueConic tenant URL (e.g. , abc.blueconic.net).
How it works in BlueConic
After you set bcNonce, BlueConic automatically:
Reads the nonce from the
bcNoncevariableApplies the nonce to all injected script and style tags
Exposes
BlueConic.getNonce()for plugins or custom code
This removes the need to manage nonces across individual components.
Notes
The nonce must be regenerated on every page load — using a static nonce defeats the security purpose.
If you use 'strict-dynamic' in your CSP, scripts loaded by BlueConic's trusted scripts are automatically allowed, reducing the need to explicitly list every resource.
Some plugins (e.g., Forms, rich text editors) may require additional review depending on your specific CSP setup. Contact BlueConic support if you encounter issues with specific plugin behavior.