CSP Policy for Google Analytics
Configure a Content Security Policy that works with Google Analytics (GA4) and Google Tag Manager. Whitelist the correct domains for scripts, connections, and image pixels.
Detailed Explanation
CSP for Google Analytics
Google Analytics is one of the most common third-party scripts on the web. Configuring CSP to allow GA4 (Google Analytics 4) and Google Tag Manager requires whitelisting several Google domains across multiple directives.
Google Analytics 4 (GA4) — Minimal CSP
Content-Security-Policy:
script-src 'self' https://www.googletagmanager.com;
connect-src 'self' https://www.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com;
img-src 'self' https://www.google-analytics.com https://*.google-analytics.com https://*.googletagmanager.com
Why Multiple Domains?
GA4 uses several domains for different purposes:
| Domain | Purpose | Directive |
|---|---|---|
www.googletagmanager.com |
Script loading (gtag.js / GTM container) | script-src |
www.google-analytics.com |
Event data collection | connect-src, img-src |
*.analytics.google.com |
Analytics data endpoints | connect-src |
*.googletagmanager.com |
Tag Manager data | connect-src, img-src |
*.google.com |
Additional Google services (if using linked products) | connect-src |
Google Tag Manager (GTM)
If you use GTM to load GA4 and other tags, you need a broader policy because GTM can dynamically inject scripts from various origins:
Content-Security-Policy:
script-src 'self' https://www.googletagmanager.com https://www.google-analytics.com 'unsafe-inline';
connect-src 'self' https://www.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://*.g.doubleclick.net;
img-src 'self' https://www.google-analytics.com https://*.google-analytics.com https://*.googletagmanager.com https://*.g.doubleclick.net
Warning: GTM with 'unsafe-inline' weakens your CSP significantly. If GTM is used, consider using a nonce and configuring GTM to support it.
GTM with Nonces
Google Tag Manager supports nonces. In your GTM container snippet:
<script nonce="abc123">
(function(w,d,s,l,i){...})(window,document,'script','dataLayer','GTM-XXXX');
</script>
And in your CSP:
script-src 'nonce-abc123' 'strict-dynamic'
With 'strict-dynamic', scripts loaded by the nonced GTM snippet (including GA4) are automatically trusted.
Ads and Remarketing
If you use Google Ads conversion tracking or remarketing alongside GA4, additional domains are needed:
script-src 'self' https://www.googletagmanager.com https://www.googleadservices.com https://googleads.g.doubleclick.net;
connect-src 'self' https://www.google-analytics.com https://*.g.doubleclick.net https://pagead2.googlesyndication.com;
img-src 'self' https://www.google-analytics.com https://www.google.com https://googleads.g.doubleclick.net;
frame-src https://www.googletagmanager.com https://td.doubleclick.net
Testing Your Configuration
- Open Chrome DevTools → Console
- Look for CSP violation messages mentioning Google domains
- Add any blocked domains to the appropriate directive
- Use Google's Tag Assistant to verify tags fire correctly
Balancing Security and Analytics
Adding many Google domains to your CSP widens the attack surface. Consider:
- Server-side GTM to proxy analytics through your own domain
- Self-hosted analytics (Plausible, Umami) that require only
connect-src 'self' - GA4 Measurement Protocol for server-side event tracking
Use Case
Nearly every marketing website and e-commerce platform uses Google Analytics. When adding CSP to a site that already has GA4 or GTM installed, correctly configuring the Google domains prevents analytics from breaking. Marketing teams rely on accurate analytics data, so CSP misconfiguration that silently blocks GA4 can lead to data loss and incorrect business decisions.