CSPStatic Security ToolsTooling for static and headless sites
Home/FAQ/CSP not working
FAQ

CSP not working

If your policy appears to be present but the page still misbehaves, the problem is usually in the actual response header, platform caching, or a mismatch between expected and real resource origins.

Check the real header first

  • Open DevTools and inspect the HTML document response headers.
  • Confirm whether you shipped Content-Security-Policy or only Content-Security-Policy-Report-Only.
  • Make sure the header value is complete and not truncated by the platform.

Read the console violation carefully

The browser usually tells you which directive blocked the request and what source triggered it.

Most common causes

  • A real dependency origin is missing from the correct directive.
  • You expected report-only mode to block requests.
  • Inline code has no nonce or hash.
  • An old cached version of the header is still live.
  • An upstream layer and the CDN are both writing CSP differently.