be sure to look here:

https://github.com/nico3333fr/CSP-useful/blob/master/csp-wtf/explained.md

Also make sure you log:

https://mgdm.net/weblog/csp-logging-with-nginx/

useful: 

https://www.troyhunt.com/locking-down-your-website-scripts-with-csp-hashes-nonces-and-report-uri/
https://www.troyhunt.com/how-chromes-buggy-content-security-policy-implementation-cost-me-money/
https://www.uriports.com/blog/creating-a-content-security-policy-csp/
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
https://cspscanner.com/?q=https%3A%2F%2Fluxagraf.net