HttpFixer โ†’ Errors โ†’ CSP Refused to Connect
CSP Error

CSP: Refused to Connect

Last updated: April 2026

Browser Console Error
Refused to connect to 'https://api.yoursite.com/data' because it violates the following Content Security Policy directive: "connect-src 'self'".

Your Content Security Policy's connect-src directive is blocking a network request. This affects fetch(), XMLHttpRequest, WebSocket, EventSource, and navigator.sendBeacon() calls.

Scan your live CSP โ†’

Fix โ€” add the API URL to connect-src

# Before
Content-Security-Policy: default-src 'self'

# After โ€” add your API domain
Content-Security-Policy: default-src 'self'; connect-src 'self' https://api.yoursite.com

Common connect-src fixes

External API calls

connect-src 'self' https://api.yoursite.com https://api.stripe.com;

WebSocket connections

# Use wss:// for secure WebSocket (not https://)
connect-src 'self' wss://ws.yoursite.com;

Google Analytics and Tag Manager

connect-src 'self' https://www.google-analytics.com https://analytics.google.com https://region1.google-analytics.com;

Sentry error reporting

connect-src 'self' https://*.sentry.io;

Hotjar / analytics tools

connect-src 'self' https://*.hotjar.com wss://*.hotjar.com;

Wildcard subdomains

# Allow all subdomains of yoursite.com
connect-src 'self' https://*.yoursite.com;

# Note: wildcards only match one level
# https://*.yoursite.com matches api.yoursite.com
# but NOT api.v2.yoursite.com

Development vs production

# Development โ€” allow localhost
connect-src 'self' http://localhost:8000 ws://localhost:8000;

# Production
connect-src 'self' https://api.yoursite.com wss://ws.yoursite.com;
Related: CSPFixer โ€” scan your live CSP CSP directive violated CSP on Nginx CSP on Vercel
📚 HttpFixer Blog โ€” fix guides, explainers, and references โ†’