Per-funnel content security policy

feature

Simon Steilgaard· Founder of Appfunnel

changelog/per-tenant-cspshipped jun 11, 2026

Every live funnel now serves its own content security policy, generated from exactly the integrations you enabled. The browser is told which analytics networks are allowed to load and blocks everything else, so a funnel that only runs Meta and GTM cannot quietly pull in anything you never approved.

Use cases

  • Locked to your integrations - the policy lists only the networks you turned on, and the page refuses the rest
  • Injection hardening - inline script and unexpected origins are blocked, shrinking what an attacker could ever inject
  • No wiring required - the policy is derived and shipped automatically each time you publish, per funnel

Impact

Your funnels handle payment and personal data, so the page they run on should be defended, not open by default. This closes the gap between the integrations you chose and what the browser will actually execute, without asking you to hand-write a single header.