For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
WebsiteDashboardGet API key
  • Get Started
    • Welcome
    • Quickstart
    • Agent onboarding
    • Service keys
    • Core Concepts
  • Guides
    • Hosted Mode
    • Webhook Mode
    • Audio Mode
    • SMS and Conversations
    • Compliance and Consent
    • Billing and Usage
    • Voice zones
    • SMS zones
  • Reference
    • Authentication
    • API Overview
    • Errors and Testing
  • API Reference
  • Changelog
    • Cloudflare Insights CSP
    • Agent-native key management
    • Postpaid auto-charge
    • Cents-honest pricing
    • Stripe payments foundation
    • Hosted/webhook mode rename
    • Upgrading to v0.5.7.0
LogoLogo
WebsiteDashboardGet API key
On this page
  • What changed
  • Why this slipped past v0.5.7.2
  • Follow-up
Changelog

Cloudflare Insights CSP allowlist

2026-05-13 · v0.5.7.3 · fix

Was this page helpful?
Previous

Agent-native key management

2026-05-13 · v0.5.7.0 · feature

Next
Built with
Headline. Cloudflare Web Analytics beacon now loads cleanly on saperly.com. No more console violations on every page.

v0.5.7.3 closes a CSP gap that fired 1 to 4 console violations per page on saperly.com. The fix is a config-only change: two Cloudflare origins added to the script-src and connect-src directives. There is nothing to update on your side. This only affects the marketing site.

What changed

  • https://static.cloudflareinsights.com added to script-src. This is the host that serves beacon.min.js.
  • https://cloudflareinsights.com (apex) added to connect-src. This is the host the beacon POSTs to at /cdn-cgi/rum.
  • Staging is unaffected. It runs direct-to-Railway, never sees the beacon, and the CSP there was already correct.

Why this slipped past v0.5.7.2

The beacon is auto-injected at the Cloudflare edge, only on the production hostname. Staging never proxies through Cloudflare, so post-deploy curl smoke tests against staging looked clean. The violations only surface in a real browser on prod because curl does not execute JavaScript.

Follow-up

docs.saperly.com is hosted by Fern under a separate CSP and is tracked for a future polish pass. The marketing-app fix here does not touch the docs CDN.