From a4cff13531f374c6990451bc4c5a9784a850ecfc Mon Sep 17 00:00:00 2001
From: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Date: Mon, 21 Jul 2025 21:32:50 -0300
Subject: [PATCH] fix(bouncer): add missing domain to CSP header BE-12067
 (#916)

---
 api/http/security/bouncer.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api/http/security/bouncer.go b/api/http/security/bouncer.go
index fa7360f4c..55b7faecc 100644
--- a/api/http/security/bouncer.go
+++ b/api/http/security/bouncer.go
@@ -534,7 +534,7 @@ func MWSecureHeaders(next http.Handler, hsts, csp bool) http.Handler {
 		}
 
 		if csp {
-			w.Header().Set("Content-Security-Policy", "script-src 'self' cdn.matomo.cloud; frame-ancestors 'none';")
+			w.Header().Set("Content-Security-Policy", "script-src 'self' cdn.matomo.cloud js.hsforms.net; frame-ancestors 'none';")
 		}
 
 		w.Header().Set("X-Content-Type-Options", "nosniff")