Skip to content
Header Hawk

Troubleshooting

Solutions for common CSP configuration issues.

Reports Not Appearing

Section titled “Reports Not Appearing”

Check Your Header

Section titled “Check Your Header”

Verify the CSP header is being sent:

Terminal window
curl -I https://your-site.com | grep -i content-security-policy

You should see either Content-Security-Policy or Content-Security-Policy-Report-Only.

Verify the Report URI

Section titled “Verify the Report URI”

Ensure your report-uri directive is correct:

report-uri https://ingest.headerhawk.com/csp/YOUR_SITE_ID

Common mistakes:

  • Missing https://
  • Wrong site ID
  • Typo in the domain name

Test Manually

Section titled “Test Manually”

Send a test report:

Terminal window
curl -X POST \
  https://ingest.headerhawk.com/csp/YOUR_SITE_ID \
  -H "Content-Type: application/csp-report" \
  -d '{"csp-report":{"document-uri":"https://test.com","violated-directive":"test"}}'

A 204 No Content response means it worked.

Browser Console

Section titled “Browser Console”

Check the browser console for CSP messages. Violations appear as warnings even in report-only mode.

Site Breaking After Adding CSP

Section titled “Site Breaking After Adding CSP”

Start with Report-Only

Section titled “Start with Report-Only”

Always use Content-Security-Policy-Report-Only first:

Content-Security-Policy-Report-Only: default-src 'self'; report-uri https://ingest.headerhawk.com/csp/YOUR_SITE_ID

This reports violations without blocking anything.

Common Resources That Break

Section titled “Common Resources That Break”
IssueSolution
Inline scripts blockedAdd 'unsafe-inline' or use nonces
CDN scripts blockedAdd the CDN domain to script-src
Google Fonts blockedAdd fonts.googleapis.com and fonts.gstatic.com
Images not loadingAdd domains to img-src or use https:
API calls failingAdd API domain to connect-src

Finding Blocked Resources

Section titled “Finding Blocked Resources”
  1. Open browser DevTools
  2. Go to the Console tab
  3. Look for “Refused to…” messages
  4. Note the blocked URL and violated directive

Too Many Reports

Section titled “Too Many Reports”

Reduce Noise

Section titled “Reduce Noise”

Some violations are expected or from browser extensions. Filter in Header Hawk dashboard by:

  • Document host (your domains only)
  • Blocked host (exclude known extension domains)
  • Directive (focus on critical directives)

Common False Positives

Section titled “Common False Positives”
SourceCauseAction
chrome-extension://Browser extensionsFilter out in dashboard
moz-extension://Firefox extensionsFilter out in dashboard
about:blankInjected iframesUsually safe to ignore
localhostDev tools or extensionsFilter out in dashboard

Switching to Enforce Mode

Section titled “Switching to Enforce Mode”

Pre-Switch Checklist

Section titled “Pre-Switch Checklist”
  1. Run in report-only mode for at least a week
  2. Review all violation types in the dashboard
  3. Add legitimate resources to your policy
  4. Test critical user flows
  5. Have a rollback plan

Making the Switch

Section titled “Making the Switch”

Change the header from:

Content-Security-Policy-Report-Only: ...

To:

Content-Security-Policy: ...

Keep the report-uri to continue receiving reports about enforced blocks.

Rollback Plan

Section titled “Rollback Plan”

If things break:

  1. Immediately revert to Content-Security-Policy-Report-Only
  2. Check new violations in the dashboard
  3. Update policy to allow legitimate resources
  4. Try enforcing again

Specific Issues

Section titled “Specific Issues”

Inline Scripts

Section titled “Inline Scripts”

Problem: Refused to execute inline script

Solutions:

  1. Move to external file (recommended)
  2. Use nonce: 
    Content-Security-Policy: script-src 'nonce-abc123'
    <script nonce="abc123">
      ...
    </script>
  3. Use hash: 
    Content-Security-Policy: script-src 'sha256-...'
  4. Allow unsafe-inline (not recommended): 
    Content-Security-Policy: script-src 'unsafe-inline'

Inline Styles

Section titled “Inline Styles”

Problem: Refused to apply inline style

Solutions:

  1. Move styles to external CSS file
  2. Use 'unsafe-inline' for styles (lower risk than scripts): 
    Content-Security-Policy: style-src 'self' 'unsafe-inline'

eval() and Function()

Section titled “eval() and Function()”

Problem: Refused to evaluate a string as JavaScript

Cause: Your code or a library uses eval(), new Function(), or similar.

Solutions:

  1. Replace with safer alternatives
  2. If unavoidable, add 'unsafe-eval' (security risk): 
    Content-Security-Policy: script-src 'unsafe-eval'

WebSocket Connections

Section titled “WebSocket Connections”

Problem: WebSocket connection refused

Solution: Add to connect-src:

Content-Security-Policy: connect-src 'self' wss://your-websocket-server.com

Frames and Embeds

Section titled “Frames and Embeds”

Problem: Cannot load content in iframe

Solution: Add source to frame-src:

Content-Security-Policy: frame-src 'self' https://youtube.com https://player.vimeo.com

Getting Help

Section titled “Getting Help”

If you’re stuck:

  1. Check the browser console for specific error messages
  2. Review violations in the Header Hawk dashboard
  3. Search for the specific directive and error message
  4. Test with a minimal policy and add directives incrementally

See Also

Section titled “See Also”