Flowsery Analytics script blocked by Content Security Policy (CSP)
If you have added the Flowsery Analytics tracking snippet but no pageviews are showing up, your site's Content Security Policy (CSP) headers are most likely preventing it from loading.
Diagnosing a CSP issue
- Open your site in Chrome or Firefox
- Launch DevTools (F12 or Cmd+Shift+I)
- Switch to the Console tab
- Check for an error similar to:
Refused to load the script 'https://analytics.flowsery.com/js/script.js' because it violates the following Content Security Policy directive: "script-src 'self'"
Seeing this message confirms that CSP rules are preventing the Flowsery Analytics script from executing.
Understanding Content Security Policy
A CSP is an HTTP header that instructs browsers which external resources (scripts, stylesheets, images, etc.) are permitted to load on a page. When analytics.flowsery.com is not included in the policy, the browser silently blocks the script -- resulting in no data being collected at all.
Resolving the issue
Add analytics.flowsery.com to the script-src directive within your CSP header. The specific steps vary by platform.
Next.js
Update the Content-Security-Policy header inside your next.config.js:
const ContentSecurityPolicy = `
script-src 'self' 'unsafe-inline' 'unsafe-eval' https://analytics.flowsery.com;
`;
module.exports = {
async headers() {
return [
{
source: '/(.*)',
headers: [
{
key: 'Content-Security-Policy',
value: ContentSecurityPolicy.replace(/\n/g, ''),
},
],
},
];
},
};
Vercel (vercel.json)
{
"headers": [
{
"source": "/(.*)",
"headers": [
{
"key": "Content-Security-Policy",
"value": "script-src 'self' 'unsafe-inline' https://analytics.flowsery.com;"
}
]
}
]
}
Netlify (_headers file)
/*
Content-Security-Policy: script-src 'self' 'unsafe-inline' https://analytics.flowsery.com;
HTML meta tag
When you cannot modify server headers, a meta tag inside <head> is an alternative:
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' https://analytics.flowsery.com;" />
Note that this approach only takes effect when no server-level CSP header is already present -- server headers always override meta tags.
Nginx
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' https://analytics.flowsery.com;" always;
Apache (.htaccess)
Header set Content-Security-Policy "script-src 'self' 'unsafe-inline' https://analytics.flowsery.com;"
WordPress
If you rely on a security plugin such as WP Cerber, Sucuri, or Wordfence, navigate to its CSP or "HTTP headers" settings and add https://analytics.flowsery.com to the list of permitted script sources.
When your theme configures CSP directly in functions.php:
header("Content-Security-Policy: script-src 'self' 'unsafe-inline' https://analytics.flowsery.com;");
Running behind a proxy?
If you have configured a proxy for Flowsery Analytics, the script is served from your own domain. In that scenario, 'self' in your CSP already permits it, so no additional changes should be necessary. If problems persist after proxying, verify that the proxy endpoint sits on the same domain as your website.
Using connect-src?
If your CSP also limits connect-src (which governs where the browser can send data via fetch/XHR), include analytics.flowsery.com in that directive as well:
Content-Security-Policy: script-src 'self' https://analytics.flowsery.com; connect-src 'self' https://analytics.flowsery.com;
Still experiencing issues?
- Confirm you are modifying the active CSP header. Certain hosting providers or CDNs can override headers.
- Look for multiple CSP headers -- browsers enforce the most restrictive combination of all present headers.
- Clear your browser cache and re-test in a private/incognito window.
- When using a proxy, ensure both
script-srcandconnect-srcinclude your proxy domain.