Support/Troubleshooting
Troubleshooting

Flowsery Analytics script blocked by Content Security Policy (CSP)

If you have added the Flowsery Analytics tracking snippet but no pageviews are showing up, your site's Content Security Policy (CSP) headers are most likely preventing it from loading.

Diagnosing a CSP issue

  1. Open your site in Chrome or Firefox
  2. Launch DevTools (F12 or Cmd+Shift+I)
  3. Switch to the Console tab
  4. Check for an error similar to:
HTML
Refused to load the script 'https://cdn.flowsery.com/main.js' because it violates the following Content Security Policy directive: "script-src 'self'"
```html Seeing this message confirms that CSP rules are preventing the Flowsery Analytics script from executing. ## Understanding Content Security
Policy A CSP is an HTTP header that instructs browsers which external resources (scripts, stylesheets, images, etc.) are permitted to load on a page.
When `analytics.flowsery.com` is not included in the policy, the browser silently blocks the script -- resulting in no data being collected at all. ##
Resolving the issue Add `analytics.flowsery.com` to the `script-src` directive within your CSP header. The specific steps vary by platform. ###
Next.js Update the `Content-Security-Policy` header inside your `next.config.js`: ```js const ContentSecurityPolicy = ` script-src 'self'
'unsafe-inline' 'unsafe-eval' https://analytics.flowsery.com; `; module.exports = { async headers() { return [ { source: '/(.*)', headers: [ { key:
'Content-Security-Policy', value: ContentSecurityPolicy.replace(/\n/g, ''), }, ], }, ]; }, }; ```html ### Vercel (vercel.json) ```json { "headers": [
{ "source": "/(.*)", "headers": [ { "key": "Content-Security-Policy", "value": "script-src 'self' 'unsafe-inline' https://cdn.flowsery.com;" } ] } ] }
```bash ### Netlify (\_headers file) ```html /* Content-Security-Policy: script-src 'self' 'unsafe-inline' https://cdn.flowsery.com; ```html ### HTML
meta tag When you cannot modify server headers, a meta tag inside `<head>
  ` is an alternative: ```html
  <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' https://cdn.flowsery.com;" />
</head>

Note that this approach only takes effect when no server-level CSP header is already present -- server headers always override meta tags.

Nginx nginx add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' https://cdn.flowsery.com;" always; html

Apache

(.htaccess) apache Header set Content-Security-Policy "script-src 'self' 'unsafe-inline' https://cdn.flowsery.com;" html

WordPress

If you rely on a security plugin such as WP Cerber, Sucuri, or Wordfence, navigate to its CSP or "HTTP headers" settings and add https://analytics.flowsery.com to the list of permitted script sources. When your theme configures CSP directly in functions.php: php header("Content-Security-Policy: script-src 'self' 'unsafe-inline' https://cdn.flowsery.com;"); bash

Running behind a proxy? If you have

configured a proxy for Flowsery Analytics, the script is served from your own domain. In that scenario, 'self' in your CSP already permits it, so no additional changes should be necessary. If problems persist after proxying, verify that the proxy endpoint sits on the same domain as your website.

Using connect-src? If your CSP also limits connect-src (which governs where the browser can send data via fetch/XHR), include

analytics.flowsery.com in that directive as well:

HTML
'self' https://analytics.flowsery.com;
 
</head>

Still experiencing issues?

  • Confirm you are modifying the active CSP header. Certain hosting providers or CDNs can override headers.
  • Look for multiple CSP headers -- browsers enforce the most restrictive combination of all present headers.
  • Clear your browser cache and re-test in a private/incognito window.
  • When using a proxy, ensure both script-src and connect-src include your proxy domain.
Proxying Flowsery Analytics with Firebase Hosting
Why are payments appearing twice?