HttpFixer โ†’ Error โ†’ CSP Refused to Load
CSP Error

CSP: Refused to Load

Last updated: April 2026

Browser Console
Refused to load the script 'https://cdn.example.com/script.js' because it violates the following Content Security Policy directive: "script-src 'self'".

Your CSP is blocking a resource because its source is not in the allowed list for that directive. The error message tells you exactly which directive and which URL.

Scan your CSP live โ†’

Fix โ€” add the source to the correct directive

# Script blocked by script-src
Content-Security-Policy: script-src 'self' https://cdn.example.com

# Style blocked by style-src
Content-Security-Policy: style-src 'self' https://fonts.googleapis.com

# API call blocked by connect-src
Content-Security-Policy: connect-src 'self' https://api.yoursite.com

# Image blocked by img-src
Content-Security-Policy: img-src 'self' data: https:

Test without breaking โ€” report-only mode

Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self'; report-uri /csp-report

Common fixes

Google Fonts: style-src 'self' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com

Google Analytics: script-src 'self' https://www.googletagmanager.com; connect-src 'self' https://www.google-analytics.com

Inline scripts: Use nonces instead of 'unsafe-inline'.

Related: CSP directive violated CSP on Nginx CSPFixer