1. Home
  2. Troubleshooting
  3. Cloudflare Content Security Policies (CSPs) and Visitor IP Tracking

Cloudflare Content Security Policies (CSPs) and Visitor IP Tracking


Cloudflare is a content delivery tool that allows optimizing, protecting, and speeding up your website if you have a significant amount of traffic and your Webhosting is not keeping up with the task.

Cloudflare is not a typical web host; rather, it is a content delivery network (CDN).
Both the CDN service and web hosting are required. You have the option of selecting a hosting provider that includes Cloudflare access by default or manually signing up for the service.

If you utilize Cloudflare and the visitor tracking is not working

Before proceeding to make any modifications to your Cloudflare settings, verify the following:

  1. You have disabled an invisible tracking option
  2. The visitor tracker is not loading or detecting any visits
  3. You have verified the correct installation and the visitor tracker code appears exactly the same in the “source code” of your web pages as provided by
  4. When you open a browser Console (Ctrl + Shift + J on Win/Linux and Cmd + Option + J on Mac), you can find an alert among others that is highlighted in red and shows something similar to:

    Refused to load the script ‘…..’ because it violates the following Content Security Policy directive: “script-src ‘self’ 

The above error means that your website hosting or software sets explicit rules to allow specific script sources to load on your website. However, this does not allow to run its programs (and probably affects other scripts on your website) unless you specifically list all the possible scripts that you would like to run on your site in the Content Security Policies rules.

The solution for browser Content Security Policy (CSPs) directive errors

If you are able to modify the HTTPS response headers rules on your site and add domain name to the “Content Security Policy directive”, this would be an optimal solution. This generally can be done with either your website editor/publishing platform, your website hosting software, or a .htaccess file modification.

However, if you do not have access to modification of the HTTP response headers and you need to get the blocked programs to run on your website, you can utilize Cloudflare transform rules. These can be used to override and remove your existing HTTP headers and replace them with a basic security policy that would allow all other scripts to run on your website.

It is important to note that this method may disable some important security rules if you run advanced merchant programs for example, therefore proceed with caution.

Sign up to instantly track website visitors IPs!

How to use Cloudflare to resolve Content Security Policy directive errors

To allow the website tracker to work properly and to allow third-party scripts to load on your website, you will need to override your existing strict HTTP “Content Security Policy” directives (CSPs).

Follow the steps below to create your basic security policy. You can also add additional security measures following the basic rules to improve the security of your website if necessary. The additional rules could be the same as your existing rules, but if you use them, you will need to add the domain to any restrictive security rules.

    1. Login to your Cloudflare account. Click on the “website” menu item on the left cloudflare-websites-menu
    2. Select your website to access the website dashboard
    3. Using the dashboard menu, click on the “Rules” menu item to expand the submenu
    4. Within the “Rules” menu, click on the “Transform Rules” and then on the right, click on the “Create Transform Menu” and select “Modify Response Header
    5. Under the Transform Rules section, specify the Rule Name as CSP Overrides and “When incoming responses match…” section, set the Field to “SSL/HTTPS”, and Operator to “equals” and flip the toggle ON.
    6. Within the same Transform Rules section, set the new response headers as specified below
      Set static => content-security-policy = upgrade-insecure-requests;
      Set static => referrer policy = no-referrer-when-downgrade

    7. Click on the “Save” button to activate your new policy overrides

Once the above steps are taken, these should be active within 1-2 minutes. Clear your browser cache and try to reload your website page where the visitor tracker is installed. The tracker icon should now be loaded and you will no longer see the “Content Security Policy” warnings in your browser console.

If you need further help, please submit a technical support ticket

Who visits your website? Sign up to find out!

Was this article helpful?

Related Articles