CSP for FullStory Product Analytics
FullStory is one of those tools that security teams side-eye and product teams love. Session replay, event capture, rage clicks, funnels — great for debugging real user behavior, but it also means you’re injecting a third-party script that phones home constantly. That makes Content Security Policy a real concern, not a checkbox. If you add FullStory without thinking through CSP, you usually get one of two outcomes: FullStory silently breaks and nobody notices until analytics goes dark. Someone opens the policy way too far with https: and 'unsafe-inline', and now your CSP is mostly decorative. I’d rather avoid both. ...