CSP headers are one of those things that look simple until you actually audit them. The bypass detection is the useful part — I've seen plenty of Laravel apps with a CSP that looks reasonable until you notice it allows unsafe-inline because someone needed a quick fix three years ago and nobody noticed. Does it handle report-uri vs report-to differences? The migration between those two has caught a few teams I've worked with off guard.