Fixing CSP Errors That Block Admaxxer

TL;DR: Add https://admaxxer.com (and your proxy domain, if any) to both the script-src and connect-src directives in your Content Security Policy. If your CSP is currently unset or uses *, you do not need to change anything.

Why this happens

Many frameworks (Next.js, Rails, Laravel, Shopify, WordPress security plugins) now ship with a locked-down default CSP. When the Admaxxer pixel tries to load /js/script.js from https://admaxxer.com, the browser quietly refuses and logs an error like:

Refused to load the script 'https://admaxxer.com/js/script.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'".

When /api/event calls are blocked, you will see:

Refused to connect to 'https://admaxxer.com/api/event' because it violates the Content Security Policy directive: "connect-src 'self'".

Step 1 — Confirm CSP is the culprit

  1. Open your site, press F12, go to the Console tab.
  2. Hard-reload the page (Ctrl+Shift+R / Cmd+Shift+R).
  3. Look for errors containing "Content Security Policy" or "Refused to".
  4. Go to the Network tab, filter by script.js or event. Blocked requests show as (blocked:csp).

If you see these, CSP is the cause. Continue below.

Step 2 — Find where your CSP is set

CSP can be set in three places (strongest to weakest, in evaluation order):

Check the response headers for any page: curl -I https://yourdomain.com/ | grep -i content-security.

Step 3 — Add Admaxxer to the allowlist

You need to add https://admaxxer.com to two directives:

Example — before

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; connect-src 'self';

Example — after

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://admaxxer.com; connect-src 'self' https://admaxxer.com;

If you proxy the pixel through your own domain (recommended), you only need 'self' — no third-party entry required. See our NGINX proxy guide and Cloudflare proxy guide.

Framework-specific examples

Next.js (next.config.js)

module.exports = {
  async headers() {
    return [{
      source: '/(.*)',
      headers: [{
        key: 'Content-Security-Policy',
        value: "default-src 'self'; script-src 'self' 'unsafe-inline' https://admaxxer.com; connect-src 'self' https://admaxxer.com;",
      }],
    }];
  },
};

NGINX

add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://admaxxer.com; connect-src 'self' https://admaxxer.com;" always;

Apache (.htaccess)

Header set Content-Security-Policy "default-src 'self'; script-src 'self' https://admaxxer.com; connect-src 'self' https://admaxxer.com;"

Rails (config/initializers/content_security_policy.rb)

Rails.application.config.content_security_policy do |policy|
  policy.script_src  :self, 'https://admaxxer.com'
  policy.connect_src :self, 'https://admaxxer.com'
end

WordPress (security plugin)

In Wordfence / Shield Security / Really Simple SSL, open the CSP editor and add https://admaxxer.com to both the Allowed scripts and Allowed AJAX endpoints lists. Save and hard-reload.

Step 4 — Verify the fix

  1. Hard-reload the page.
  2. Check console — CSP errors should be gone.
  3. In the Admaxxer dashboard, go to Analytics › Realtime. A pageview should appear within ~5 seconds.

Still blocked?

Related

Duplicate payment events · Proxy via NGINX · Proxy via Cloudflare · Pixel API Overview