CSP & CORS configuration
Recommended configuration for the ZYKAY v4 loader.
Minimum CSP
<meta http-equiv="Content-Security-Policy" content="
default-src 'self';
script-src 'self' https://widget-app.zykay.com 'unsafe-inline';
connect-src 'self' https://widget-app.zykay.com https://api.zykay.com;
img-src 'self' data: https:;
style-src 'self' 'unsafe-inline';
">Why these guidelines
| Directive | Reason |
|---|---|
script-src https://widget-app.zykay.com | Loading the loader v4 |
connect-src https://widget-app.zykay.com | verify-request + verify-status |
connect-src https://api.zykay.com | Partner backend calls (if necessary in mixed environment) |
style-src 'unsafe-inline' | Styles injected by the widget |
img-src data: | QR code and inline assets |
⚠️
The v4 flow does not use a partner iframe, so frame-src and sandbox are no longer required for standard integration.
CORS (your backend)
Your local exchange endpoint should only accept your frontend origin.
import cors from 'cors';
app.use('/api/zykay/exchange', cors({
origin: 'https://votresite.com',
methods: ['POST'],
credentials: true,
}));Quick Checks
- Open the browser console
- Check for CSP errors
- Verify that
https://widget-app.zykay.com/v4/loader.min.jsloads - Check that
verify-requestandverify-statuscalls are not blocked