Production hardening
The default embed works as-is. For production sites with a strict security posture, pin the loader with Subresource Integrity, satisfy your Content Security Policy with a nonce, and front the receiver with a CDN. Walk this checklist before you ship.
Before you ship #
Pin the loader with Subresource Integrity
Add an integrity hash and crossorigin to the loader tag so the browser refuses a tampered file.
Satisfy your Content Security Policy
Put a per-request nonce on each inline script tag, and allow the ingest origin in connect-src.
Front the receiver with a CDN
Point a CDN at the receiver as origin to cache the bundle at the edge. No code change is needed.
Verify in a clean session
Load the page with the production CSP active and confirm events still arrive and no CSP violations appear in the console.
Subresource Integrity #
Subresource Integrity (SRI) pins the loader to a known cryptographic hash. If the served file does not
match, the browser refuses to execute it. Add integrity and crossorigin to the
loader tag:
<!-- Pin the loader to a known hash. The browser refuses to run -->
<!-- the file if it does not match. crossorigin is required for SRI. -->
<script
src="https://rum-ingest.example.com/v1/rum/ambilobe-rum.min.js"
integrity="sha384-…"
crossorigin="anonymous"
async></script> Content Security Policy #
The recommended embed has two inline <script> tags: the stub and the
init call. Under a strict CSP, inline scripts are blocked unless you allow them. The clean
way is a per-request nonce on each tag, matched by a nonce- source in the header.
<!-- Add the same per-request nonce to every inline script tag. -->
<!-- Your server generates the nonce and sets it in the CSP header. -->
<script nonce="r4nd0m-per-request">
!function(w){if(w.amb)return;/* …inline stub… */}(window);
</script>
<script nonce="r4nd0m-per-request">
amb('init', { /* … */ });
</script> The matching header, with the ingest origin allowed for the beacon connection:
Content-Security-Policy:
script-src 'self' 'nonce-r4nd0m-per-request';
connect-src 'self' https://rum-ingest.example.com; Front with a CDN #
The receiver serves the collector bundle itself, so you do not need a CDN. To cache the bundle at the
edge and shorten the loader fetch, point a CDN at the receiver as origin and serve
/v1/rum/* through it. Leave the beacon endpoint pointed at the receiver. No snippet change
is required beyond swapping the asset host.