Content Security Policy
If you have a CSP deployed in your website, you must include the following directives when using our web SDKs:
script-src- https://*.basistheory.comframe-src- https://*.basistheory.com
<head>
<meta http-equiv="Content-Security-Policy"
content="frame-src https://*.basistheory.com; script-src https://*.basistheory.com" />
</head>
Optional Sources
The sources mentioned earlier are essential for the SDK to work properly. However, you may also need to include the following sources that support our services:
Datadog
Datadog is used by BasisTheory for logging and debugging for errors. If you don't allow the connection to Datadog in your CSP, it may be more difficult for Basis Theory to help with issues.
To allow the connection to Datadog, add the following directive to your CSP:
connect-src- https://*.browser-intake-datadoghq.com
LaunchDarkly
LaunchDarkly is used by BasisTheory to evaluate feature flags before new Elements features are released. If you don't allow the connection to LaunchDarkly in your CSP, it won't be possible for your organization to test new features before they are released.
To allow the connection to LaunchDarkly, add the following directive to your CSP:
connect-src- https://*.launchdarkly.com
Trusted Types
If you are using Trusted Types, you must allow dynamic script loading from the https://js.basistheory.com origin. This should be done BEFORE initialization.
trustedTypes.createPolicy("default", {
createScriptURL: (input) => {
if (new URL(input).origin === "https://js.basistheory.com") {
return input;
}
return undefined;
}
});
Common CSP Errors
The setup above is recommended to avoid errors similar to these: