HGF
https://www.hgf.com ↗Your policy is ready
You have two options for deploying this policy. Start with Report-Onlyif the site is live and you want to be cautious — it won't break anything. When you're confident the policy is complete, switch to the enforcing header which actively blocks unauthorised resources.
① Start here — Report-Only
Use Content-Security-Policy-Report-Only. Nothing is blocked. Violations are still reported to CSP Studio so you can catch any gaps.
② When ready — Enforcing
Swap to Content-Security-Policy. Unauthorised resources are now actively blocked. Keep the report-uri so ongoing violations are still captured.
Violation collector endpoint
https://csp.tall.agency/api/report/8161ee2d-9823-4ccf-adc0-d7c3a0b248bfPaste this URL as the report-uri in your hosting platform's CSP header.
Content-Security-Policy-Report-Only
default-src 'self' https://use.typekit.net 'unsafe-inline' https://www.hgf.com https://registry.blockmarktech.com data: https://cdn-cookieyes.com https://www.googletagmanager.com https://p.typekit.net https://img.hgf.com https://log.cookieyes.com https://cdn.mouseflow.com https://snap.licdn.com https://directory.cookieyes.com https://region1.google-analytics.com https://px.ads.linkedin.com; script-src 'self' https://www.hgf.com data: https://www.googletagmanager.com https://cdn.mouseflow.com 'unsafe-inline' https://go.hgf.com https://cdn-cookieyes.com https://snap.licdn.com http://www.hgf.com 'unsafe-eval' https://yoast.com https://fast.wistia.net https://www.google.com https://www.gstatic.com https://images.uc.cn https://www.google-analytics.com https://browser.sentry-cdn.com https://fast.wistia.com https://beacon-v2.helpscout.net https://translate.google.com https://translate.googleapis.com https://translate-pa.googleapis.com https://ajax.googleapis.com https://acumbamail.com https://ams.wpml.org; style-src 'self' 'unsafe-inline' https://use.typekit.net https://www.hgf.com https://fonts.googleapis.com https://p.typekit.net https://ams.wpml.org https://www.gstatic.com https://acumbamail.com; img-src 'self' data: https://px.ads.linkedin.com https://www.hgf.com https://files.bugherd.com https://cdn-cookieyes.com https://img.hgf.com https://adamsons.com https://secure.gravatar.com https://www.googletagmanager.com https://translate.google.com https://fonts.gstatic.com https://fast.wistia.com https://embed-ssl.wistia.com https://storage.googleapis.com https://www.gstatic.com http://0.0.22.196 https://www.google.com https://translate.googleapis.com blob: https://img.youtube.com; font-src 'self' https://use.typekit.net https://fonts.gstatic.com https://www.hgf.com data: https://s0.wp.com https://fast.wistia.com https://cdn.scite.ai https://cdnjs.cloudflare.com; connect-src 'self' https://www.google-analytics.com https://www.hgf.com https://log.cookieyes.com https://cdn-cookieyes.com https://region1.google-analytics.com https://px.ads.linkedin.com wss://ws-mt1.pusher.com https://directory.cookieyes.com http://www.hgf.com https://my.yoast.com https://use.typekit.net https://p.typekit.net https://fonts.googleapis.com https://www.google.com https://www.googletagmanager.com https://pipedream.wistia.com https://yoast.com https://fast.wistia.com https://translate.googleapis.com https://distillery.wistia.com https://embed-cloudfront.wistia.com data: https://translate-pa.googleapis.com https://emlsend.com https://sockjs.pusher.com https://ams.wpml.org; frame-src https://registry.blockmarktech.com https://fast.wistia.net https://www.hgf.com https://www.google.com https://cdn.yoshki.com https://player.vimeo.com https://www.youtube.com https://gateway.zscaler.net; object-src 'none'; base-uri 'self'; form-action 'self'; media-src 'self' https://www.hgf.com blob: data: http://www.hgf.com; worker-src 'self' https://www.hgf.com blob:; report-uri https://csp.tall.agency/api/report/8161ee2d-9823-4ccf-adc0-d7c3a0b248bf
Content-Security-Policy (enforcing)
default-src 'self' https://use.typekit.net 'unsafe-inline' https://www.hgf.com https://registry.blockmarktech.com data: https://cdn-cookieyes.com https://www.googletagmanager.com https://p.typekit.net https://img.hgf.com https://log.cookieyes.com https://cdn.mouseflow.com https://snap.licdn.com https://directory.cookieyes.com https://region1.google-analytics.com https://px.ads.linkedin.com; script-src 'self' https://www.hgf.com data: https://www.googletagmanager.com https://cdn.mouseflow.com 'unsafe-inline' https://go.hgf.com https://cdn-cookieyes.com https://snap.licdn.com http://www.hgf.com 'unsafe-eval' https://yoast.com https://fast.wistia.net https://www.google.com https://www.gstatic.com https://images.uc.cn https://www.google-analytics.com https://browser.sentry-cdn.com https://fast.wistia.com https://beacon-v2.helpscout.net https://translate.google.com https://translate.googleapis.com https://translate-pa.googleapis.com https://ajax.googleapis.com https://acumbamail.com https://ams.wpml.org; style-src 'self' 'unsafe-inline' https://use.typekit.net https://www.hgf.com https://fonts.googleapis.com https://p.typekit.net https://ams.wpml.org https://www.gstatic.com https://acumbamail.com; img-src 'self' data: https://px.ads.linkedin.com https://www.hgf.com https://files.bugherd.com https://cdn-cookieyes.com https://img.hgf.com https://adamsons.com https://secure.gravatar.com https://www.googletagmanager.com https://translate.google.com https://fonts.gstatic.com https://fast.wistia.com https://embed-ssl.wistia.com https://storage.googleapis.com https://www.gstatic.com http://0.0.22.196 https://www.google.com https://translate.googleapis.com blob: https://img.youtube.com; font-src 'self' https://use.typekit.net https://fonts.gstatic.com https://www.hgf.com data: https://s0.wp.com https://fast.wistia.com https://cdn.scite.ai https://cdnjs.cloudflare.com; connect-src 'self' https://www.google-analytics.com https://www.hgf.com https://log.cookieyes.com https://cdn-cookieyes.com https://region1.google-analytics.com https://px.ads.linkedin.com wss://ws-mt1.pusher.com https://directory.cookieyes.com http://www.hgf.com https://my.yoast.com https://use.typekit.net https://p.typekit.net https://fonts.googleapis.com https://www.google.com https://www.googletagmanager.com https://pipedream.wistia.com https://yoast.com https://fast.wistia.com https://translate.googleapis.com https://distillery.wistia.com https://embed-cloudfront.wistia.com data: https://translate-pa.googleapis.com https://emlsend.com https://sockjs.pusher.com https://ams.wpml.org; frame-src https://registry.blockmarktech.com https://fast.wistia.net https://www.hgf.com https://www.google.com https://cdn.yoshki.com https://player.vimeo.com https://www.youtube.com https://gateway.zscaler.net; object-src 'none'; base-uri 'self'; form-action 'self'; media-src 'self' https://www.hgf.com blob: data: http://www.hgf.com; worker-src 'self' https://www.hgf.com blob:
Directive breakdown — 12 directives
Snapshot generated 1 June 2026 at 15:19