Hello, my product enforces a strict content security policy (CSP) so I need to list the Dato domains we reach out to for API requests, images, etc. I couldn’t find a list of those domains in your documentation. Could you please list the required directives and add them to the docs?
Here’s an example of the format I’m hoping for.
Thank you.
Hello @maxime.preaux
Welcome to the DatoCMS community! That’s a great question, and you’re right that we don’t currently have a dedicated CSP documentation page. I’ll compile the domains you’ll need for your Content Security Policy configuration.
For API requests (connect-src):
graphql.datocms.com (Content Delivery API, GraphQL)
graphql-listen.datocms.com (Real-time Updates API for live previews via SSE)
site-api.datocms.com (Content Management API, REST)
For images and assets (img-src):
For video streaming (media-src and connect-src):
stream.mux.com (video streaming via HLS and MP4 delivery)
image.mux.com (video thumbnails)
If you’re embedding the DatoCMS admin interface or using plugins (frame-src):
Keep in mind that if you’re on an Enterprise plan with a custom asset domain, you’d replace www.datocms-assets.com with your custom domain. The same applies if you use a custom CMS admin domain.
I agree this would be super helpful to have in the docs! I’ll pass along your feedback internally
Thank you for the quick response!
We’re working on a docs page for this now.
One more to add in the meantime, though:
datocms-assets.6c36efb897e5eae1d2a887cfa632eea9.eu.r2.cloudflarestorage.com is where asset uploads go (whenever you upload something via the media area or API)
@roger looking forward to the docs page!
Regarding the Cloudflare URL: is the datocms-assets.com domain not sufficient to fetch and display images?
@maxime.preaux Yes, for simply fetching and displaying images, www.datocms-assets.com is sufficient. That domain points to our Imgix CDN which serves all your optimized images.
The Cloudflare R2 domain (datocms-assets.6c36efb897e5eae1d2a887cfa632eea9.eu.r2.cloudflarestorage.com) is only needed if your application uploads assets to DatoCMS directly, like if you’re using the Content Management API to programmatically create uploads or if your frontend needs to interact with the Media Area upload flow. If your product only reads and displays content (which is the common case for most frontend applications), you won’t need the R2 domain in your CSP.
The doc page is up now at DatoCMS Domains and Content Security Policy (CSP) — DatoCMS
But it’s basically the same thing as the post above 
That’s great, I’m sure that will help other people in the future. Thanks to the team!