NexaGuard
  1. Security-and-Privacy
NexaGuard
  • Getting-Started
    • NexaGuard Developer Documentation
    • Quickstart (5 to 10 Minutes)
    • Documentation Overview
    • Concepts and Glossary
  • Compliance-and-Standards
    • Compliance Overview
    • IAB TCF v2.3 Support
    • Google Consent Mode v2 Validation
    • TCF API Validation
    • Audit Checklist (Pre-Launch)
  • Web-and-CMS-Integrations
    • NexaGuard CMP SDK – Web & GTM Setup
    • Integrate NexaGuard CMP with Webflow and Wix
    • Integrate NexaGuard CMP with WordPress
    • Integrate NexaGuard CMP with Drupal
    • Integrate NexaGuard CMP with Shopify
  • Mobile-SDKs
    • NexaGuard CMP SDK - iOS Setup
    • iOS SDK API Reference
    • NexaGuard CMP SDK - Android Setup
    • Android SDK API Reference
    • App Attribution Partner (AAP) Integrations
  • Developer-Reference
    • Web JS API Reference
    • Consent Event Schema
    • Deployment and Environments
    • NexaGuard Debug Tool
    • Troubleshooting Playbook
    • Performance and Best Practices
    • Accessibility and UX Guidelines
    • Localization Workflow
    • Migration Guide
  • Security-and-Privacy
    • Security Overview
    • Privacy Architecture
    • Data and Logging Transparency
    • Subprocessors
    • CSP and Network Allowlist
  • Enterprise-and-Legal
    • DPA and Legal Pack
    • RFP Feature Matrix
    • Status and Reliability
    • Support and Escalation
    • NexaGuard CMP SDK – Commercial Licence
  • Operations
    • Changelog and Version Policy
  1. Security-and-Privacy

CSP and Network Allowlist

Last updated: February 18, 2026
This page provides Content Security Policy (CSP) and network allowlist guidance for organizations integrating NexaGuard CMP.
Security teams should validate CSP and outbound network policies before production rollout.

1. Required Domains#

Typical NexaGuard endpoints:
https://cmp.nexaguard.com
CMP loader script, banner assets, static resources.
https://api.nexaguard.io
Consent API, configuration retrieval, consent state synchronization.
If additional endpoints are introduced (for example regional endpoints), they will be documented prior to release.

2. Example CSP Snippet#

The following example should be adjusted to match your organization's baseline CSP policy.

Notes#

'unsafe-inline' may be required depending on site configuration.
Organizations with strict CSP policies should test before production rollout.
If using nonce- or hash-based CSP enforcement, ensure CMP loader injection is compatible with your policy.

3. GTM and Google Dependencies#

If Google Tag Manager, gtag.js, or Google Ads/Analytics are used, your CSP must include required Google domains according to your tag architecture.
Typical Google domains may include:
https://www.googletagmanager.com
https://www.google-analytics.com
https://www.googleadservices.com
https://pagead2.googlesyndication.com
NexaGuard CMP does not require these domains directly, but Google tags do.
Refer to Google's official documentation for required CSP directives.

4. Validation Steps#

After applying CSP restrictions:
1.
Open browser developer tools.
2.
Confirm there are no CSP violations in the console.
3.
Confirm:
CMP loader (cmp.nexaguard.com) loads successfully.
API calls (api.nexaguard.io) return HTTP 2xx.
Banner displays correctly.
Consent updates trigger as expected.
4.
Validate consent mode using:
Tag Assistant
NexaGuard Debug Tool

5. Network Policy#

Protocol: HTTPS only
Port: 443
Fixed IP allowlists: Not applicable
NexaGuard CMP services are delivered via globally distributed infrastructure. Fixed IP ranges are not guaranteed and should not be relied upon for firewall allowlisting.
Organizations requiring IP-based controls should allowlist domains instead of IP addresses.
Previous
Subprocessors
Next
DPA and Legal Pack