CSP Domains Reference

About this list

This list includes domains from HubSpot's official CSP documentation plus commonly used third-party services like Google Analytics, Tag Manager, and YouTube embeds. Always verify these domains match your specific use case and test thoroughly before deploying to production.

HubSpot

Official HubSpot domains required for CMS, forms, analytics, and other HubSpot features

Official Documentation

Updated: 2026-02-05

script-src

Controls which scripts can be loaded and executed

https://*.hubapi.com

https://*.hubspotfeedback.com

https://*.hsforms.net

https://*.hsleadflows.net

https://*.hscollectedforms.net

https://*.hubspot.net

https://*.hubspotusercontent00.net

https://*.hubspotusercontent10.net

https://*.hubspotusercontent20.net

https://*.hubspotusercontent30.net

https://*.hubspotusercontent40.net

https://*.hsadspixel.net

https://*.hs-scripts.com

https://*.hsforms.com

https://js.hscta.net

https://*.hs-analytics.net

https://*.hubspot.com

https://static.hsappstatic.net

https://*.hs-banner.com

https://*.usemessages.com

style-src

Controls which stylesheets can be loaded

https://*.fs1.hubspotusercontent-na1.net

https://*.hubspotusercontent00.net

https://*.hubspotusercontent10.net

https://*.hubspotusercontent20.net

https://*.hubspotusercontent30.net

https://*.hubspotusercontent40.net

https://*.hsappstatic.net

https://cdn2.hubspot.net

https://*.hubspot.com

img-src

Controls which images can be loaded

https://*.hsforms.net

https://*.hubspotusercontent00.net

https://*.hubspotusercontent10.net

https://*.hubspotusercontent20.net

https://*.hubspotusercontent30.net

https://*.hubspotusercontent40.net

https://*.fs1.hubspotusercontent-na1.net

https://*.hsappstatic.net

https://*.hubspot.com

https://*.hubspot.net

https://*.hsforms.com

https://js.hscta.net

connect-src

Controls which URLs can be loaded using script interfaces (fetch, XHR, WebSocket)

https://*.hs-banner.com

https://*.hubapi.com

https://*.hubspot.com

https://*.hsforms.com

https://*.hsforms.net

https://*.hsappstatic.net

https://*.hscollectedforms.net

https://js.hscta.net

frame-src

Controls which URLs can be loaded in frames

https://play.hubspotvideo.com

https://*.hubspot.net

https://*.hubspot.com

https://*.hsforms.com

https://*.hs-sites.com

child-src

Controls which URLs can be embedded as child browsing contexts

https://*.hsforms.com

font-src

Controls which fonts can be loaded

https://*.fs1.hubspotusercontent-na1.net

https://static.hsappstatic.net

HubSpot EU Data Center

Additional domains required when using HubSpot's EU data center

Official Documentation

Updated: 2026-02-04

script-src

Controls which scripts can be loaded and executed

https://js-eu1.hscta.net

https://feedback-eu1.hubapi.com

img-src

Controls which images can be loaded

https://js-eu1.hscta.net

connect-src

Controls which URLs can be loaded using script interfaces (fetch, XHR, WebSocket)

https://js-eu1.hscta.net

frame-src

Controls which URLs can be loaded in frames

https://.hs-sites-eu1.com

https://play-eu1.hubspotvideo.com

Google Services

Common domains for Google Analytics, Tag Manager, and Fonts

Updated: 2026-04-21

script-src

Controls which scripts can be loaded and executed

https://www.googletagmanager.com

https://www.google-analytics.com

https://www.google.com

https://www.google.co.uk

https://www.googleadservices.com

https://*.googlesyndication.com

style-src

Controls which stylesheets can be loaded

https://fonts.googleapis.com

img-src

Controls which images can be loaded

https://www.google-analytics.com

https://www.googletagmanager.com

https://www.google.com

https://www.google.co.uk

https://*.g.doubleclick.net

connect-src

Controls which URLs can be loaded using script interfaces (fetch, XHR, WebSocket)

https://*.google-analytics.com

https://*.analytics.google.com

https://*.googletagmanager.com

https://*.google.com

https://*.google.co.uk

https://*.googleadservices.com

https://storage.googleapis.com

https://*.g.doubleclick.net

frame-src

Controls which URLs can be loaded in frames

https://www.googletagmanager.com

https://www.google.com

https://www.google.co.uk

https://www.youtube.com

https://www.youtube-nocookie.com

https://*.doubleclick.net

font-src

Controls which fonts can be loaded

https://fonts.gstatic.com

Domains required for LinkedIn Insight Tag and other LinkedIn features

Updated: 2026-04-21

script-src

Controls which scripts can be loaded and executed

https://*.licdn.com

https://*.bizographics.com

img-src

Controls which images can be loaded

https://*.linkedin.com

https://*.adsymptotic.com

https://px.adslinkedin.com

https://snap.licdn.com

connect-src

Controls which URLs can be loaded using script interfaces (fetch, XHR, WebSocket)

https://px.adslinkedin.com

https://*.linkedin.com

Hotjar

Domains required for Hotjar analytics and feedback tools

Updated: 2026-04-21

script-src

Controls which scripts can be loaded and executed

https://*.hotjar.com

style-src

Controls which stylesheets can be loaded

https://*.hotjar.com

img-src

Controls which images can be loaded

https://*.hotjar.com

connect-src

Controls which URLs can be loaded using script interfaces (fetch, XHR, WebSocket)

https://*.hotjar.com

https://*.hotjar.io

wss://*.hotjar.io

frame-src

Controls which URLs can be loaded in frames

https://vars.hotjar.com

font-src

Controls which fonts can be loaded

https://*.hotjar.com

Unicorn Studio

Domains required for Unicorn Studio assets and features

Updated: 2026-02-05

img-src

Controls which images can be loaded

https://*.unicorn.studio

Back to Generator