Custom plugin (possibly) causing Content Security Policy-issue

After adding a custom plugin to my Strapi project, trying to access Strapi admin in production causes the following error:

Refused to connect to ‘http://localhost:1337/admin/init’ because it violates the following Content Security Policy directive: “connect-src ‘self’ https:”.

It worked fine before adding this plugin, so that’s why I assume there’s something in my plugin (or something I missed), causing the issue. The plugin was created using Strapis plugin generator with the typescript option, it still has the placeholder admin pages generated by Strapi. The plugin functionality is in a service used by a cron task.

I read that it might be something to do with the admin not being built, but I’m pretty sure it is. Initially the server wouldn’t start until I added a prebuild script to my package.json like this:

  "scripts": {
    "develop": "strapi develop",
    "start": "node node_modules/@strapi/strapi/bin/strapi.js start",
    "build": "strapi build",
    "prebuild": "cd src/plugins/my-plugin && npm run build",
    "strapi": "strapi"

I haven’t changed the middleware-plugin or any policies, but maybe I have to?
I realize this is quite vague, but I’m posting in hope that someone might recognize the issue and know what I might be missing.

System Information
  • Strapi Version: 4.10.6
  • Node Version: 16

For anyone who might come across this issue; I managed to find out what was causing it. It turns out it was a TypeScript compilation error that kept the admin pages from building. However, the actual build script didn’t fail and the error also didn’t occur when building locally. We didn’t notice the error until going through the github build logs.

The error was reported in in various flies inside admin/src/pages and looked like this:

"TS2307: Cannot find module '@strapi/helper-plugin' or its corresponding type declarations."

Even though the @strapi/helpler-plugin was declared inside custom.d.ts it didn’t seem to actually do anything. I simply added skipped the typescript checking for the affected files by placing // @ts-nocheck at the top of each file.