Skip to content
VEKTIS

Content Security Policy

If your application sends a Content-Security-Policy header, the browser will block the tracker’s network call to https://events.vektis.io unless you explicitly allow it.

You need to add https://events.vektis.io to the connect-src directive of your CSP.

Symptoms of a CSP block

Section titled “Symptoms of a CSP block”
  • Events appear queued in vektis.getStatus().queueLength but never send
  • Browser console shows: Refused to connect to 'https://events.vektis.io/...' because it violates the following Content Security Policy directive: "connect-src ..."
  • The claude /vektis-troubleshoot skill flags VEK_TRK_NETWORK_ERROR with a CSP hypothesis

Snippets by platform

Section titled “Snippets by platform”

Add a CSP header in next.config.ts:

next.config.ts
import type { NextConfig } from "next";


const csp = [
  "default-src 'self'",
  "script-src 'self' 'unsafe-inline'",
  "style-src 'self' 'unsafe-inline'",
  "img-src 'self' data: https:",
  "connect-src 'self' https://events.vektis.io",
].join("; ");


const nextConfig: NextConfig = {
  async headers() {
    return [
      {
        source: "/:path*",
        headers: [{ key: "Content-Security-Policy", value: csp }],
      },
    ];
  },
};


export default nextConfig;

Verifying CSP is correctly set

Section titled “Verifying CSP is correctly set”

After deploying with the updated header, send a test event and confirm vektis.getStatus().queueLength returns to 0 within a few seconds. If the queue length stays elevated, open the browser Network tab and look for a request to events.vektis.io — a CSP block surfaces there as a (blocked:csp) status.

Section titled “Related”