If you treat this as a "shameful failure," your team will be afraid to deploy strict security measures. Adopt the Sethi mindset: Use the Content-Security-Policy-Report-Only header. Collect the reports, see what breaks, fix it, and move on. No guilt, just technical resolution.
When a user lands on your site, they aren't thinking about your CSP headers. They are trusting you. If your CSP is weak and an attacker injects a crypto-mining script or a phishing overlay, you are stealing that user's "Rich Life" experience. csp ramit sethi