Static assets scraping

In the context of Zoning and Session Replays, Contentsquare fetches static assets on your website.

To allow Contentsquare fetching these assets, select one of the following options:

  1. Allowlist Contentsquare IP addresses
  2. Use a static header to validate requests
  3. Use a dynamic signature header to validate requests

Allow ports 80 (HTTP) and 443 (HTTPS) and allow these IP addresses to prevent your proxy, firewall, or server configuration from blocking the scraper:

  • Current IP: (APP & DT scrapper)
  • New IP: (
  • New IP: (fallback
  • Current IP: (App & DT Scrapper)
  • New IP: (
  • New IP: (fallback
  • Current IP: (Azure East US Scrapper)
  • New IP: (
  • New IP: (fallback
  • Current IP: (Azure North Europe Scrapper)
  • New IP: (
  • New IP: (fallback

When selecting this option, Contentsquare adds a custom header to the project settings.

"headers": {
"my-new-header-key": "myKeyValue"

You can then validate that scrapper requests contains the specific header and value.

receivedHeaderExample = 'myKeyValue';
if (receivedHeaderExample === CONTENTSQUARE_CUSTOM_HEADER) {

Using a custom dynamic signature header

Section titled Using a custom dynamic signature header

When selecting this option, Contentsquare adds the X-CONTENTSQUARE-SIGNATURE header to incoming requests from the scrapper.

The X-CONTENTSQUARE-SIGNATURE header is a string generated in this format:



  • <TIMESTAMP>: the time at which the request was sent using,
  • <RESOURCE_DOMAIN>: the complete domain hosting the resource on your website,
  • <SECRET>: the secret shared between you and Contentsquare for the project, generated at project creation.

With a secret of abcde, the Contentsquare scrapper service has emitted the request below on on the 6th of August 2020 at 05:39 am, to fetch the official Contentsquare logo.

Terminal window
curl \
-H 'accept-language: en-GB,en-US;q=0.9,en;q=0.8,fr;q=0.7' \
-H 'accept: application/json, text/plain, */*' \
-H 'user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36' \
-H 'X-CONTENTSQUARE-SIGNATURE: 1596706743675-BxmHtG6vu4CfFlzpHxc0qYOmR0iMajlIvA2B4404qk4=' \

You can compute the signature and verify it against the value of the X-CONTENTSQUARE-SIGNATURE header by providing:

  • The timestamp from the incoming request (1596706743675),
  • The resource domain (,
  • The secret provided by Contentsquare (abcde).
const crypto = require('crypto');
const secret = 'abcde'; // Given by someone from CS
receivedHeaderExample = '1596706743675-BxmHtG6vu4CfFlzpHxc0qYOmR0iMajlIvA2B4404qk4=';
// Extract the timestamp and digest from the received header
const [timestamp, receivedDigest] = receivedHeaderExample.split('-');
// Extra security step to make sure the timestamp is not too old
const currentTimestamp =;
if(currentTimestamp - timestamp > 5 * 60 * 1000) {
throw new Error("Validation failed. Timestamp signature is older than 5 minutes");
// Recreate the string that was used to generate the digest
const dataToSign = `${resourceDomain}-${timestamp}`; // e.g. '';
// Create a new digest using the same secret and algorithm
const hmac = crypto.createHmac('sha256', secret);
const generatedDigest = hmac.digest('base64');
// Compare the newly generated digest with the one received in the header
if (receivedDigest === generatedDigest) {
console.log('Header is valid');
// Code to validate request