How do I know which CSP directive to add a domain to?

The browser console shows the exact directive that caused the block. Scripts go in script-src, stylesheets in style-src, images in img-src, API calls in connect-src, fonts in font-src.

Can I use a wildcard in CSP?

Yes — https://api.example.com/* allows all paths under that domain. But wildcards for schemes or hostnames (https://*) are risky and should be avoided.

What is unsafe-inline and should I use it?

unsafe-inline allows all inline scripts or styles. It works but defeats XSS protection. Use nonces or hashes instead for inline scripts.

CSP

Fix "Refused to load script" CSP Error

The browser console gives you everything you need to fix this. It shows the blocked URL, the directive that caused the block, and what your current policy says. Read the error, add the domain to the right directive, redeploy.

Browser Console Error

Refused to load the script 'https://cdn.example.com/widget.js' because it violates the following Content Security Policy directive: "script-src 'self' https://trusted.com". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Reading the error

This error tells you three things:

What was blocked: https://cdn.example.com/widget.js
Which directive blocked it: script-src
What your current policy allows: 'self' https://trusted.com

The fix is to add https://cdn.example.com to script-src.

Resource type to directive mapping

Resource type	Directive	Example
JavaScript files	script-src	script-src 'self' https://cdn.example.com
CSS stylesheets	style-src	style-src 'self' https://fonts.googleapis.com
Images	img-src	img-src 'self' data: https://images.example.com
Fonts	font-src	font-src 'self' https://fonts.gstatic.com
XHR / fetch / WebSocket	connect-src	connect-src 'self' https://api.example.com
Iframes	frame-src	frame-src https://www.youtube.com
Web Workers	worker-src	worker-src 'self' blob:

Multiple violations at once

When you add a CSP for the first time, you will likely see many violations. Instead of fixing them one by one, use CSPFixer — it scans your live page, finds all external resources, and generates the complete CSP in one shot.

Inline script violations

Browser Console Error

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".

For inline scripts, you have three options:

// Option 1 — nonce (secure, works per-request)
<script nonce="random-base64-value">...</script>
// CSP: script-src 'self' 'nonce-random-base64-value'

// Option 2 — hash (secure, works for static scripts)
// CSP: script-src 'self' 'sha256-hash-of-script-content'

// Option 3 — unsafe-inline (not recommended, defeats XSS protection)
// CSP: script-src 'self' 'unsafe-inline'

Scan all blocked resources at once → CSPFixer