Overview

Many Merge customers use a CSP to provide an added layer of security and restrict which URLs and domains they allow interaction with in the embedded linking flow.

Merge Link requires the following policies:

You can learn more about how to add a CSP here, but below are the URLs and domains Merge requires:

• script-src https://cdn.merge.dev

• connect-src https://api.merge.dev

• img-src https://merge-api-public.s3.amazonaws.com

• frame-src https://cdn.merge.dev