---
title: "CSP blocking the tracker"
description: "Fix Content-Security-Policy headers that block p.js or the /api/event endpoint."
source: "https://xpmetric.com/docs/troubleshooting/csp"
---
If pageviews never appear after installing `p.js`, your site's **Content-Security-Policy (CSP)** may block the script or the event POST.

## Symptoms

- Snippet is installed correctly but dashboard shows zero pageviews
- Browser console shows CSP violations for `xpmetric.com`
- XPmetric install scan flags **CSP may block tracking**

## Required CSP directives

Allow XPmetric's script host in `script-src` and the API host in `connect-src`:

<CspFixSnippet />

Replace hosts if you self-host or use a custom `NEXT_PUBLIC_APP_URL`.

## Where to add CSP

Common locations:

- **Next.js** — `headers()` in `next.config.ts` or middleware
- **Nginx / Caddy** — `Content-Security-Policy` response header
- **Cloudflare** — Transform Rules or Page Rules
- **WordPress** — security plugins (Wordfence, etc.)

Merge with your existing policy — don't replace unrelated directives.

## Verify

1. Update CSP and deploy.
2. Hard-refresh your site (or use incognito).
3. Open browser DevTools → Network — confirm `p.js` loads (200) and `POST /api/event` succeeds.
4. Re-scan from **Settings → Get Script** if available.

## Still stuck?

- Confirm the snippet is in `<head>` on the page you visit — see [install guides](/docs/install/html).
- Check ad blockers in dev (some block analytics domains).
- Email support from your XPmetric account with your domain and CSP header value.

