Table of Contents

  1. Problem
  2. Diagnostic
  3. What This Can Impact
  4. Action to Take
  5. Pro Tip

Magento Security: CSP Error – Refused to Connect

While working with Content Security Policy (CSP) in Magento 2, you may sometimes notice API calls failing during checkout or payment processing.

A common console error appears like the following:

Refused to connect to ‘api.paymentgateway.com’

because it violates the following Content Security Policy directive:

“connect-src ‘self'”.

This Magento CSP connect error indicates that the browser has blocked a request because the domain being accessed is not allowed by the current CSP policy.

The Problem

CSP in Magento can run in two modes:

  1. Report-Only Mode
     In this mode, the browser does not block the resource, but it logs Magento CSP connect error violations in the console. This allows developers to detect policy issues without affecting the functionality of the website.
  2. Enforced Mode
     In this mode, the browser actively blocks any resource that violates the CSP rules.

When debugging CSP issues, the first step is to check which CSP configuration your server is returning.

You can verify this by opening:

Chrome DevTools → Network → Headers

Look for one of the following response headers:

Content-Security-Policy

or

Content-Security-Policy-Report-Only

If the site is running in Report-Only mode, the browser console may show warnings such as:

Refused to connect to ‘api.paymentgateway.com’

because it violates the following Content Security Policy directive:

“connect-src ‘self'”.

Even though the resource may still load in this mode, the warning indicates that the domain is not currently allowed by the defined CSP policy.

Diagnostic

CSP allows API calls only from domains defined in the connect-src directive.

For example, a CSP policy may look like this:

connect-src ‘self’

This configuration allows connections only to the same origin as the website.

However, Magento may attempt to connect to an external API such as:

api.paymentgateway.com

Since this domain is not whitelisted in the CSP policy, the browser blocks the request , causing a Magento CSP connect error when CSP is enforced.

To quickly identify this issue, open:

Chrome DevTools → Console

The console typically shows:

  • The blocked domain
  • The violated directive
  • The type of request that was blocked

This information helps quickly diagnose which CSP rule needs to be updated.

What This Can Impact

If the required API domain is not allowed in CSP, it can lead to several functional issues on the website, including:

  • Payment gateway APIs not working
  • Checkout requests failing
  • Analytics or tracking APIs not sending data

These issues occur because the browser refuses to establish the connection with external services that are not explicitly allowed in the CSP configuration.

Action to Take

To resolve this issue, the required domain must be added to the CSP whitelist.

In Magento, this is done by updating the csp_whitelist.xml configuration file and allowing the domain under the connect-src policy.

Example configuration:

< policy id=”connect-src” >

< values >

< value id=”payment-api” type=”host” >

api.paymentgateway.com

< /value >

< /values >

< /policy >

Once the domain is added, Magento will include it in the CSP policy, allowing the browser to connect to the external API.

Pro Tip

A simple and effective way to debug CSP issues is to always start with the browser console.

Open:

Chrome DevTools → Console

In most cases, the console will clearly show:

  • The blocked domain
  • The violated CSP directive
  • The type of rule required

This information makes diagnosing and fixing Magento CSP connect error issues much faster and more efficient.

chat-with-us

Latest Posts

Magento Security: CSP Error – Refused to Load the Script
Magento Security: CSP Error – Refused to Load the Script
Gallery

Magento Security: CSP Error – Refused to Load the Script

March 19th, 2026|0 Comments
Varnish Memory & Storage Optimization
Varnish Memory & Storage Optimization
Gallery

Varnish Memory & Storage Optimization

March 16th, 2026|0 Comments
Magento Performance: Debugging Varnish Cache Fragmentation
Magento Performance: Debugging Varnish Cache Fragmentation
Gallery

Magento Performance: Debugging Varnish Cache Fragmentation

March 13th, 2026|0 Comments
Magento Performance Tuning: Understanding VCL Hashing and X-Vary
Magento Performance Tuning: Understanding VCL Hashing and X-Vary
Gallery

Magento Performance Tuning: Understanding VCL Hashing and X-Vary

March 9th, 2026|0 Comments
Magento Performance: Varnish Cache Ratio – How Query Params Kill It
Magento Performance: Varnish Cache Ratio – How Query Params Kill It
Gallery

Magento Performance: Varnish Cache Ratio – How Query Params Kill It

March 9th, 2026|0 Comments
Magento Performance: Varnish Hashing Strategy (vcl_hash)
Magento Performance: Varnish Hashing Strategy (vcl_hash)
Gallery

Magento Performance: Varnish Hashing Strategy (vcl_hash)

March 6th, 2026|0 Comments
Magento 2 + Varnish: How vcl_recv Improves Cache Hit Ratio
Magento 2 + Varnish: How vcl_recv Improves Cache Hit Ratio
Gallery

Magento 2 + Varnish: How vcl_recv Improves Cache Hit Ratio

March 6th, 2026|0 Comments
The AI Era: Why Your Magento Store Needs Fewer Modules and Smarter Code with AI in Magento Development
The AI Era: Why Your Magento Store Needs Fewer Modules and Smarter Code with AI in Magento Development
Gallery

The AI Era: Why Your Magento Store Needs Fewer Modules and Smarter Code with AI in Magento Development

March 5th, 2026|0 Comments
Magento 2 + Varnish Cache Performance
Magento 2 + Varnish Cache Performance
Gallery

Magento 2 + Varnish Cache Performance

March 5th, 2026|0 Comments