CSP blocking the tracker

Fix Content-Security-Policy headers that block p.js or the /api/event endpoint.

If pageviews never appear after installing p.js, your site's Content-Security-Policy (CSP) may block the script or the event POST.

Symptoms

  • Snippet is installed correctly but dashboard shows zero pageviews
  • Browser console shows CSP violations for xpmetric.com
  • XPmetric install scan flags CSP may block tracking

Required CSP directives

Allow XPmetric's script host in script-src and the API host in connect-src:

script-src https://xpmetric.com/p.js;
connect-src https://xpmetric.com/api/event;

Replace hosts if you self-host or use a custom NEXT_PUBLIC_APP_URL.

Where to add CSP

Common locations:

  • Next.jsheaders() in next.config.ts or middleware
  • Nginx / CaddyContent-Security-Policy response header
  • Cloudflare — Transform Rules or Page Rules
  • WordPress — security plugins (Wordfence, etc.)

Merge with your existing policy — don't replace unrelated directives.

Verify

  1. Update CSP and deploy.
  2. Hard-refresh your site (or use incognito).
  3. Open browser DevTools → Network — confirm p.js loads (200) and POST /api/event succeeds.
  4. Re-scan from Settings → Get Script if available.

Still stuck?

  • Confirm the snippet is in <head> on the page you visit — see install guides.
  • Check ad blockers in dev (some block analytics domains).
  • Email support from your XPmetric account with your domain and CSP header value.