When an integration callout initiated from a Lightning Web Component (LWC) fails, the architect must distinguish between client-side and server-side security layers. Unlike Apex callouts, which are governed by Remote Site Settings at the server level, LWC requests originate directly from the user's browser. Consequently, they are subject to the browser's Content Security Policy (CSP).

CSP is a security layer that helps detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. It prevents a website from loading content from a third party unless that domain is explicitly safe-listed. If an LWC attempts to connect to an external API endpoint that is not listed in the CSP Trusted Sites in Salesforce Setup, the browser will block the request before it is even sent, often returning a "Refused to connect because it violates the document's Content Security Policy" error. While Cross-Origin Resource Sharing (CORS) is also a browser-level security mechanism, it must be configured on the external server to allow the browser to access its resources; however, the first validation step within the Salesforce environment for a failing LWC callout is ensuring the domain is allowed by the org's CSP.