DevBolt
Processed in your browser. Your data never leaves your device.

Common CSP Issues & Troubleshooting

Content Security Policy errors can break your site if misconfigured. This guide covers the most common CSP issues, explains what causes them, and shows you how to fix each one.

CSP Header Builder

Build Content Security Policy headers visually with framework presets, security analysis, and multi-format output.

Directives

Fetch Directives

Document Directives

Navigation Directives

Output Format

Generated Policy

Content-Security-Policy: upgrade-insecure-requests

Security Analysis

No directives enabled. Enable at least default-src to start.

Policy Stats

0
Directives
25
Characters
0
Warnings

Related Guides

CSP Directives GuideCSP Framework ExamplesCommon CSP Issues

Refused to execute inline script

This error means your CSP blocks inline <script> tags and on* event handlers. Fix options: (1) Move inline scripts to external files (best), (2) Add a nonce to each script tag and include 'nonce-{value}' in script-src, (3) Add 'unsafe-inline' to script-src (weakens security). Using nonces with 'strict-dynamic' is the recommended modern approach.

Refused to load the stylesheet

Your CSP is blocking a CSS file or inline style. Check style-src — does it include the stylesheet's origin? For CSS-in-JS libraries (styled-components, Emotion), you need 'unsafe-inline' in style-src. For external stylesheets (Google Fonts), add the CDN domain: style-src 'self' https://fonts.googleapis.com.

Refused to connect

Your fetch(), XHR, or WebSocket call is blocked. The connect-src directive controls these. Add your API endpoint domain: connect-src 'self' https://api.example.com. Don't forget WebSocket URLs (wss://), analytics endpoints, and any third-party APIs your app calls.

Frequently Asked Questions

How do I debug CSP errors?

Open your browser's Developer Tools Console — CSP violations appear as errors with the blocked resource URL and the directive that blocked it. Use Content-Security-Policy-Report-Only header to test without breaking your site. You can also set up report-uri to collect violations server-side.

What is Content-Security-Policy-Report-Only?

Report-Only mode logs CSP violations to the console (and optionally to a report-uri endpoint) without actually blocking anything. Use it to test a new CSP before enforcing it. Once you see no unexpected violations, switch to the enforcing Content-Security-Policy header.

Why does my CSP work locally but break in production?

Common causes: (1) Third-party scripts loaded in production but not locally (analytics, chat widgets, ads), (2) CDN domains not in your allowlist, (3) Inline scripts added by your hosting platform, (4) Different URL schemes (http vs https). Always test with Report-Only in production first.

Related tools

CSP Directives GuideCSP Framework Examples← All CSP Header Builder features

Related Generate Tools

GRD

CSS Gradient Generator

Create beautiful CSS gradients visually with live preview

QR

QR Code Generator

Generate customizable QR codes from text or URLs

PAL

Color Palette Generator

Generate harmonious color palettes using color theory algorithms

SHD

Box Shadow Generator

Design CSS box shadows visually with multiple layers, presets, and live preview