diff --git a/packages/core/src/middleware/koa-security-headers.ts b/packages/core/src/middleware/koa-security-headers.ts index 00cfa54e8..0847353c7 100644 --- a/packages/core/src/middleware/koa-security-headers.ts +++ b/packages/core/src/middleware/koa-security-headers.ts @@ -105,6 +105,9 @@ export default function koaSecurityHeaders( "'self'", "'unsafe-inline'", `${gsiOrigin}client`, + // Some of our users may use the Cloudflare Web Analytics service. We need to allow it to + // load its scripts. + 'https://static.cloudflareinsights.com/', ...conditionalArray(!isProduction && "'unsafe-eval'"), ], connectSrc: ["'self'", gsiOrigin, tenantEndpointOrigin, ...developmentOrigins],