1. Security-and-Privacy
  • Getting-Started
    • CYBEXO Developer Documentation
    • Quickstart (5 to 10 Minutes)
    • Documentation Overview
    • Concepts and Glossary
  • Compliance-and-Standards
    • Compliance Overview
    • IAB TCF v2.3 Support
    • Google Consent Mode v2 Validation
    • TCF API Validation
    • Audit Checklist (Pre-Launch)
  • Web-and-CMS-Integrations
    • CYBEXO CMP SDK – Web & GTM Setup
    • Integrate CYBEXO CMP with Webflow and Wix
    • Integrate CYBEXO CMP with WordPress
    • Integrate CYBEXO CMP with Drupal
    • Integrate CYBEXO CMP with Shopify
    • Google Tag Manager (GTM) Template Guide
  • Mobile-SDKs
    • CYBEXO CMP SDK - iOS Setup
    • iOS SDK API Reference
    • CYBEXO CMP SDK - Android Setup
    • Android SDK API Reference
    • App Attribution Partner (AAP) Integrations
  • Developer-Reference
    • Web JS API Reference
    • Consent Event Schema
    • Deployment and Environments
    • CYBEXO Debug Tool
    • Troubleshooting Playbook
    • Performance and Best Practices
    • Accessibility and UX Guidelines
    • Localization Workflow
    • Migration Guide
  • Security-and-Privacy
    • Security Overview
    • Privacy Architecture
    • Data and Logging Transparency
    • Subprocessors
    • CSP and Network Allowlist
  • Enterprise-and-Legal
    • DPA and Legal Pack
    • RFP Feature Matrix
    • Status and Reliability
    • Support and Escalation
    • CYBEXO CMP SDK – Commercial Licence
  • Operations
    • Changelog and Version Policy
  1. Security-and-Privacy

CSP and Network Allowlist

Last updated: February 18, 2026
This page provides Content Security Policy (CSP) and network allowlist guidance for organizations integrating CYBEXO CMP.
Security teams should validate CSP and outbound network policies before production rollout.

1. Required Domains#

Typical CYBEXO endpoints:
https://cmp.cybexo.com
CMP loader script, banner assets, static resources.
https://api.nexaguard.io
Consent API, configuration retrieval, consent state synchronization.
If additional endpoints are introduced (for example regional endpoints), they will be documented prior to release.

2. Example CSP Snippet#

The following example should be adjusted to match your organization's baseline CSP policy.

Notes#

'unsafe-inline' may be required depending on site configuration.
Organizations with strict CSP policies should test before production rollout.
If using nonce- or hash-based CSP enforcement, ensure CMP loader injection is compatible with your policy.

3. GTM and Google Dependencies#

If Google Tag Manager, gtag.js, or Google Ads/Analytics are used, your CSP must include required Google domains according to your tag architecture.
Typical Google domains may include:
https://www.googletagmanager.com
https://www.google-analytics.com
https://www.googleadservices.com
https://pagead2.googlesyndication.com
CYBEXO CMP does not require these domains directly, but Google tags do.
Refer to Google's official documentation for required CSP directives.

4. Validation Steps#

After applying CSP restrictions:
1.
Open browser developer tools.
2.
Confirm there are no CSP violations in the console.
3.
Confirm:
CMP loader (cmp.cybexo.com) loads successfully.
API calls (api.nexaguard.io) return HTTP 2xx.
Banner displays correctly.
Consent updates trigger as expected.
4.
Validate consent mode using:
Tag Assistant
CYBEXO Debug Tool

5. Network Policy#

Protocol: HTTPS only
Port: 443
Fixed IP allowlists: Not applicable
CYBEXO CMP services are delivered via globally distributed infrastructure. Fixed IP ranges are not guaranteed and should not be relied upon for firewall allowlisting.
Organizations requiring IP-based controls should allowlist domains instead of IP addresses.
Previous
Subprocessors
Next
DPA and Legal Pack