mPulse CSP Settings

A Content Protection Policy (CSP) is a security standard that provides an additional layer of protection from code injection attacks. Organizations use CSPs to prevent malicious content from coming into and going out of the web application.  It’s important, however, to ensure that the CSP allows mPulse function as designed.

How mPulse Works

mPulse works by having a non-blocking JavaScript loader snippet injected into the page.  This snippet can be injected at the origin by the application owner or at the Akamai CDN layer.  One of the first things this loader snippet does is to load the boomerang data collection library.  By default, this library is loaded from “https://c.go-mpulse.net/boomerang”, which is hosted on Akamai edge servers.

Next, the loader snippet makes a request to load the mPulse app config of the customer (based on the API key).  This loads all of the custom page group names, timers, metrics, dimensions, etc. that were defined in the mPulse app config GUI.  The config is also loaded from “https://c.go-mpulse.net” and is hosted on Akamai edge servers.

Finally, at the brower’s onload event, page and resource performance data is packaged into the beacon and sent to the collection infrastructure, described below.  This POST is made to the akstat.io domain.


CSP Settings

In order for mPulse to work as designed, the following CSP rules must be included in your existing rules:

script-src https://*.go-mpulse.net; img-src https://*.akstat.io; connect-src https://*.akstat.io https://*.go-mpulse.net;

These rules are described below:

  • script-src https://*.go-mpulse.net: The Boomerang JavaScript file will be downloaded from a host in the go-mpulse.net domain over HTTPS.
  • img-src https://*.akstat.io: Boomerang will send GET requests with beacon data to a host in the akstat.io domain using dynamically created IMG elements over HTTPS.
  • connect-src https://*.akstat.io: Boomerang will send POST requests with beacon data using XHR or the sendBeacon API to a host in the akstat.io domain over HTTPS.
  • connect-src https://*.go-mpulse.net: Boomerang will fetch it’s configuration from *.go-mpulse.net using XHR over HTTPS.

Finally, if the mPulse app is configured to support cross domain session tracking, an additional rule is required:

             frame-src [cross domain session host];

Summary

A strong CSP is essential to a secure site.  Just be sure to include the above policy rules to allow mPulse to provide the performance data needed to keep your site operating at optimal speed.