CSP Mistakes with LaunchDarkly Feature Flags
LaunchDarkly is one of those tools that looks harmless from a CSP perspective until it quietly breaks in production. The SDK initializes, flags never arrive, and the only clue is a blocked request buried in DevTools. I’ve seen this a lot with frontend teams that already have a decent CSP and assume feature flags are “just another script.” They usually aren’t. LaunchDarkly needs network access for streaming, polling, events, and sometimes bootstrapping behavior that doesn’t fit neatly into a locked-down policy. ...