Our pentest report had one line that stopped us cold: "Application does not implement Content-Security-Policy headers. XSS payloads executed without restriction." We had Sanctum, CSRF tokens, input validation — all the standard Laravel security checklist items. But we had no CSP. And without it, a single successful XSS attack could exfiltrate session cookies, inject malicious scripts, or silently redirect users to attacker-controlled pages — all from our own domain. This is the story of how we added CSP to a production Laravel application without breaking anything, how we built a violation reporting pipeline, and the things we wish we'd known before starting. What's in this guide This post is written to be useful regardless of where you're starting from: Never heard of CSP? Start from the top. The first two sections give you the mental model before any code appears. Know what CSP is but haven't implemented it? Jump to The Implementation . Already running CSP and want to tighten it or add reporting?…