Production hardening

The default embed works as-is. For production sites with a strict security posture, pin the loader with Subresource Integrity, satisfy your Content Security Policy with a nonce, and front the receiver with a CDN. Walk this checklist before you ship.

Before you ship #

Pin the loader with Subresource Integrity

Add an integrity hash and crossorigin to the loader tag so the browser refuses a tampered file.

Satisfy your Content Security Policy

Put a per-request nonce on each inline script tag, and allow the ingest origin in connect-src.

Front the receiver with a CDN

Point a CDN at the receiver as origin to cache the bundle at the edge. No code change is needed.

Verify in a clean session

Load the page with the production CSP active and confirm events still arrive and no CSP violations appear in the console.

Subresource Integrity #

Subresource Integrity (SRI) pins the loader to a known cryptographic hash. If the served file does not match, the browser refuses to execute it. Add integrity and crossorigin to the loader tag:

loader with SRI html
<!-- Pin the loader to a known hash. The browser refuses to run -->
<!-- the file if it does not match. crossorigin is required for SRI. -->
<script
  src="https://rum-ingest.example.com/v1/rum/ambilobe-rum.min.js"
  integrity="sha384-…"
  crossorigin="anonymous"
  async></script>

Content Security Policy #

The recommended embed has two inline <script> tags: the stub and the init call. Under a strict CSP, inline scripts are blocked unless you allow them. The clean way is a per-request nonce on each tag, matched by a nonce- source in the header.

nonced inline scripts html
<!-- Add the same per-request nonce to every inline script tag. -->
<!-- Your server generates the nonce and sets it in the CSP header. -->
<script nonce="r4nd0m-per-request">
!function(w){if(w.amb)return;/* …inline stub… */}(window);
</script>
<script nonce="r4nd0m-per-request">
  amb('init', { /* … */ });
</script>

The matching header, with the ingest origin allowed for the beacon connection:

CSP header text
Content-Security-Policy:
  script-src 'self' 'nonce-r4nd0m-per-request';
  connect-src 'self' https://rum-ingest.example.com;

Front with a CDN #

The receiver serves the collector bundle itself, so you do not need a CDN. To cache the bundle at the edge and shorten the loader fetch, point a CDN at the receiver as origin and serve /v1/rum/* through it. Leave the beacon endpoint pointed at the receiver. No snippet change is required beyond swapping the asset host.