Installation

Static HTML or any framework

Paste the snippet into your <head>. It loads asynchronously and doesn't block rendering.

<script async src="https://cdn.meridianblue.ai/v1/loader.js"
        data-site-id="site_01HN..."></script>

The loader is under 2KB gzipped. The runtime bundle (under 25KB gzipped) is fetched on first interaction.

WordPress

Install meridianblue.zip from the plugins screen, then visit Settings → Meridian Blue and paste your Site ID. The plugin injects the snippet into every page and adds a Gutenberg sidebar for tagging AI blocks.

Content Security Policy

If your site enforces a Content Security Policy (CSP), the browser will block cdn.meridianblue.ai/v1/loader.js until you allowlist it. You need to add exactly two hostnames — that's it, forever:

script-src   'self' https://cdn.meridianblue.ai;
connect-src  'self' https://cdn.meridianblue.ai https://plugin.meridianblue.ai;

• cdn.meridianblue.ai serves the loader + runtime bundle.
• plugin.meridianblue.ai is the API (config fetch, event ingest).

You do not need us in img-src, style-src, font-src, or frame-src — the SDK lives inside a closed Shadow DOM and never reaches those slots.

Cloudflare-hosted sites

If your site is behind Cloudflare, the fastest fix is a single Transform Rule in the Cloudflare dashboard. Full step-by-step walkthrough (including a Workers fallback for older plans) is here:

→ Cloudflare installation guide

Other stacks

Stack	Where to add it
Nginx	add_header Content-Security-Policy "…"; in your server block
Apache	Header set Content-Security-Policy "…"
Next.js	headers() in next.config.js, or middleware
WordPress	A CSP plugin, or add_action('send_headers', …) in a theme
Netlify / Vercel	[[headers]] in netlify.toml / headers in vercel.json
Laravel / Rails / Django	Response middleware

If your CSP is served as a <meta http-equiv="Content-Security-Policy"> tag instead of a header, edit the tag directly in your layout template.

Verifying the install

Open your site in a regular browser and check DevTools → Network for a loader.js request with status 200. Then check Application → Local storage for a mb_ key — that's the SDK's local event buffer, created on successful boot.