1. Pendo Help Center
  2. Security and privacy
  3. Security configuration

Feedback's Content Security Policy

Last updated:

Important: Classic Feedback will be retired on August 1, 2026. If you haven’t already, contact your Pendo representative to update your contract to Pendo Listen. After your contract is updated, you must request a data migration if you want to keep your existing classic Feedback data. We recommend completing your migration by May 1, 2026 to ensure a smooth transition. For more information, see Migrate from classic Feedback to Pendo Listen.

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. If you're running into an issue with your CSP, you might need to make an adjustment to allow full functionality.

This article outlines the minimum required directives to allow Feedback full functionality. If you need to enable CSP for Pendo’s Engage (Insights & Guidance) platform, see the original Content Security Policy (CSP) article.

Minimum Required Directives

Note: Replace all occurrences of foo.example.com below with your hostname. You may include https:// before any hostnames if desired.

Minimum Required CSP Directives For US/Worldwide Non-EU Clients:

Full functionality, including embedding Feedback in the Pendo Resource Center:

connect-src foo.example.com api.feedback.us.pendo.io 
frame-src foo.example.com portal.feedback.us.pendo.io

In addition, while using Visual Design Studio:

script-src 'unsafe-inline' 'unsafe-eval'

If you're using the widget view for visitor access to Feedback:

style-src 'unsafe-inline'

Minimum requirements for Feedback to function:

connect-src foo.example.com api.feedback.us.pendo.io

Minimum Required CSP Directives For EU Clients:

Full functionality, including embedding Feedback in the Pendo Resource Center

connect-src foo.example.com api.feedback.eu.pendo.io 
frame-src foo.example.com portal.feedback.eu.pendo.io

In addition, while using Visual Design Studio:

script-src 'unsafe-inline' 'unsafe-eval'

If you're using the widget view for visitor access to Feedback:

style-src 'unsafe-inline'

Minimum requirements for Feedback to function

connect-src api.feedback.eu.pendo.io
Was this article helpful?
1 out of 6 found this helpful

Articles in this section