Whitelisted Square Domains for Content Security Policy & Web Payments SDK

steveh · January 12, 2023, 12:06am

Hello,

I don’t believe I’ve seen documented anywhere all of the Square domains that need to be whitelisted when employing Content Security Policy (Content Security Policy (CSP) - HTTP | MDN) in conjunction with the Web Payments SDK. It’s easy enough to figure out by following the breadcrumbs of complaint that a browser will log to the console, but it would be nice if this information was documented and thus a bit more contractual, especially if it were to ever change. Thanks.

Bryan-Square · January 12, 2023, 12:11am

You’ll want to enable traffic through the following ports.

- squareup.com:80
- squareup.com:443
- api.squareup.com:443
- connect.squareup.com:443
- connect.squareupsandbox.com:443
- docs.connect.squareup.com:443

Your right we don’t document this and we can look into adding this to our documentation. Thanks for pointing this out.

steveh · January 12, 2023, 12:36am

This are the settings that I’ve found to be necessary:

Sandbox

script-src
https://*.squarecdn.com
https://js.squareupsandbox.com

connect-src
https://pci-connect.squareupsandbox.com

Production

script-src
https://*.squarecdn.com
https://js.squareup.com

connect-src
https://pci-connect.squareup.com

There should also be verbiage around having to use a Nonce with the inline script provided at https://developer.squareup.com/reference/sdks/web/payments when using CSP.

(This sample HTML snippet has been very handy and works well, although I think there is opportunity to make it a little less brittle. A topic for another post however…)

Thanks

Bryan-Square · January 12, 2023, 12:39am

We’re constantly working to improve our features based on feedback like this, so I’ll be sure to share your request to the API product team.

lavid · March 30, 2026, 10:39pm

I highly doubt it’ll get any traction, but the lack of proper documentation around needed CSP and CORS etc policy for using the square payment web payment SDK is bothersome. Without some sort of documented set of FQDNs that the square payment API uses (in card mode, google pay, apple pay, etc) prevents consumer websites from implementing their own CSP and CORS policies to harden security.

At least since this thread started, *.ingest.sentry.io and csp-report.browser-intake-datadoghq.com are also required.

Topic		Replies	Views
Content Security Policy (CSP) Questions for Web Payments SDK Questions	7	906	April 12, 2024
Content Security Policy settings Questions	5	725	December 31, 2023
Content Security Policy Errors in Square Web Payments SDK Questions web-payments-sdk	2	43	March 31, 2026
CSP Issues when integrating with web payments API Questions web-payments-sdk	2	110	May 8, 2025
Square Payment Form not display. Feature Requests web-payments-sdk	3	2061	December 12, 2023

Whitelisted Square Domains for Content Security Policy & Web Payments SDK

Related topics