CSP blocking the tracker
Fix Content-Security-Policy headers that block p.js or the /api/event endpoint.
If pageviews never appear after installing p.js, your site's Content-Security-Policy (CSP) may block the script or the event POST.
Symptoms
- Snippet is installed correctly but dashboard shows zero pageviews
- Browser console shows CSP violations for
xpmetric.com - XPmetric install scan flags CSP may block tracking
Required CSP directives
Allow XPmetric's script host in script-src and the API host in connect-src:
script-src https://xpmetric.com/p.js;
connect-src https://xpmetric.com/api/event;Replace hosts if you self-host or use a custom NEXT_PUBLIC_APP_URL.
Where to add CSP
Common locations:
- Next.js —
headers()innext.config.tsor middleware - Nginx / Caddy —
Content-Security-Policyresponse header - Cloudflare — Transform Rules or Page Rules
- WordPress — security plugins (Wordfence, etc.)
Merge with your existing policy — don't replace unrelated directives.
Verify
- Update CSP and deploy.
- Hard-refresh your site (or use incognito).
- Open browser DevTools → Network — confirm
p.jsloads (200) andPOST /api/eventsucceeds. - Re-scan from Settings → Get Script if available.
Still stuck?
- Confirm the snippet is in
<head>on the page you visit — see install guides. - Check ad blockers in dev (some block analytics domains).
- Email support from your XPmetric account with your domain and CSP header value.