I can't seem to get it to work.

I came this far:

header("Content-Security-Policy: default-src 'self' https://*.websitemachine.nl https://*.zoho.eu wss://*.zohopublic.eu https://*.zohopublic.eu; base-uri 'self'; script-src 'self' https://*.zohostatic.eu 'unsafe-inline' https: 'nonce-$random_nonce' 'strict-dynamic' 'report-sample'; font-src 'self' data: https://*.zohostatic.eu https://fonts.gstatic.com; img-src 'self' data: https://*.zoho.eu https://*.zohostatic.eu; object-src 'none'; style-src 'self' 'unsafe-inline' https://*.zohostatic.eu; frame-ancestors https://demo.websitemachine.nl/ https://www.websitemachine.nl/; report-uri https://websitemachine.report-uri.com/r/d/csp/enforce");

header("X-Frame-Options: SAMEORIGIN");
header("X-XSS-Protection: 1; mode=block");
header("X-Content-Type-Options: nosniff");

But still so many violation warings that I give up for now.