CSP.

18 Content-Security-Policy violation reports across 4 surfaces. 6 from unknown third-party scripts injected post-deploy. 2 from inline event handlers that should've been hashed.

CSP report-uri is a vulnerability sensor most teams never read.

CSP-011 · unsafe-inline on /checkout BLOCKED

Inline onclick handler. 412 violations in 24h.

Hash the handler, ship to CSP allowlist, monitor for 7d.