Back to Generator
About this list
This list includes domains from HubSpot's official CSP documentation plus commonly used third-party services like Google Analytics, Tag Manager, and YouTube embeds. Always verify these domains match your specific use case and test thoroughly before deploying to production.
HubSpot

Official HubSpot domains required for CMS, forms, analytics, and other HubSpot features

Updated: 2026-02-05
script-src

Controls which scripts can be loaded and executed

https://*.hubapi.com
https://*.hubspotfeedback.com
https://*.hsforms.net
https://*.hsleadflows.net
https://*.hscollectedforms.net
https://*.hubspot.net
https://*.hubspotusercontent00.net
https://*.hubspotusercontent10.net
https://*.hubspotusercontent20.net
https://*.hubspotusercontent30.net
https://*.hubspotusercontent40.net
https://*.hsadspixel.net
https://*.hs-scripts.com
https://*.hsforms.com
https://js.hscta.net
https://*.hs-analytics.net
https://*.hubspot.com
https://static.hsappstatic.net
https://*.hs-banner.com
https://*.usemessages.com
style-src

Controls which stylesheets can be loaded

https://*.fs1.hubspotusercontent-na1.net
https://*.hubspotusercontent00.net
https://*.hubspotusercontent10.net
https://*.hubspotusercontent20.net
https://*.hubspotusercontent30.net
https://*.hubspotusercontent40.net
https://*.hsappstatic.net
https://cdn2.hubspot.net
https://*.hubspot.com
img-src

Controls which images can be loaded

https://*.hsforms.net
https://*.hubspotusercontent00.net
https://*.hubspotusercontent10.net
https://*.hubspotusercontent20.net
https://*.hubspotusercontent30.net
https://*.hubspotusercontent40.net
https://*.fs1.hubspotusercontent-na1.net
https://*.hsappstatic.net
https://*.hubspot.com
https://*.hubspot.net
https://*.hsforms.com
https://js.hscta.net
connect-src

Controls which URLs can be loaded using script interfaces (fetch, XHR, WebSocket)

https://*.hs-banner.com
https://*.hubapi.com
https://*.hubspot.com
https://*.hsforms.com
https://*.hsforms.net
https://*.hsappstatic.net
https://*.hscollectedforms.net
https://js.hscta.net
frame-src

Controls which URLs can be loaded in frames

https://play.hubspotvideo.com
https://*.hubspot.net
https://*.hubspot.com
https://*.hsforms.com
https://*.hs-sites.com
child-src

Controls which URLs can be embedded as child browsing contexts

https://*.hsforms.com
font-src

Controls which fonts can be loaded

https://*.fs1.hubspotusercontent-na1.net
https://static.hsappstatic.net
HubSpot EU Data Center

Additional domains required when using HubSpot's EU data center

Updated: 2026-02-04
script-src

Controls which scripts can be loaded and executed

https://js-eu1.hscta.net
https://feedback-eu1.hubapi.com
img-src

Controls which images can be loaded

https://js-eu1.hscta.net
connect-src

Controls which URLs can be loaded using script interfaces (fetch, XHR, WebSocket)

https://js-eu1.hscta.net
frame-src

Controls which URLs can be loaded in frames

https://.hs-sites-eu1.com
https://play-eu1.hubspotvideo.com
Google Services

Common domains for Google Analytics, Tag Manager, and Fonts

Updated: 2026-04-21
script-src

Controls which scripts can be loaded and executed

https://www.googletagmanager.com
https://www.google-analytics.com
https://www.google.com
https://www.google.co.uk
https://www.googleadservices.com
https://*.googlesyndication.com
style-src

Controls which stylesheets can be loaded

https://fonts.googleapis.com
img-src

Controls which images can be loaded

https://www.google-analytics.com
https://www.googletagmanager.com
https://www.google.com
https://www.google.co.uk
https://*.g.doubleclick.net
connect-src

Controls which URLs can be loaded using script interfaces (fetch, XHR, WebSocket)

https://*.google-analytics.com
https://*.analytics.google.com
https://*.googletagmanager.com
https://*.google.com
https://*.google.co.uk
https://*.googleadservices.com
https://storage.googleapis.com
https://*.g.doubleclick.net
frame-src

Controls which URLs can be loaded in frames

https://www.googletagmanager.com
https://www.google.com
https://www.google.co.uk
https://www.youtube.com
https://www.youtube-nocookie.com
https://*.doubleclick.net
font-src

Controls which fonts can be loaded

https://fonts.gstatic.com
LinkedIn

Domains required for LinkedIn Insight Tag and other LinkedIn features

Updated: 2026-04-21
script-src

Controls which scripts can be loaded and executed

https://*.licdn.com
https://*.bizographics.com
img-src

Controls which images can be loaded

https://*.linkedin.com
https://*.adsymptotic.com
https://px.adslinkedin.com
https://snap.licdn.com
connect-src

Controls which URLs can be loaded using script interfaces (fetch, XHR, WebSocket)

https://px.adslinkedin.com
https://*.linkedin.com
Hotjar

Domains required for Hotjar analytics and feedback tools

Updated: 2026-04-21
script-src

Controls which scripts can be loaded and executed

https://*.hotjar.com
style-src

Controls which stylesheets can be loaded

https://*.hotjar.com
img-src

Controls which images can be loaded

https://*.hotjar.com
connect-src

Controls which URLs can be loaded using script interfaces (fetch, XHR, WebSocket)

https://*.hotjar.com
https://*.hotjar.io
wss://*.hotjar.io
wss://*.hotjar.io
frame-src

Controls which URLs can be loaded in frames

https://vars.hotjar.com
font-src

Controls which fonts can be loaded

https://*.hotjar.com
Unicorn Studio

Domains required for Unicorn Studio assets and features

Updated: 2026-02-05
img-src

Controls which images can be loaded

https://*.unicorn.studio
Back to Generator