diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index 025c628344d8..099c37d27839 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -639,6 +639,7 @@ in
   gns3-server = runTest ./gns3-server.nix;
   gnupg = runTest ./gnupg.nix;
   go-camo = runTest ./go-camo.nix;
+  go-csp-collector = runTest ./go-csp-collector.nix;
   go-httpbin = runTest ./go-httpbin.nix;
   go-neb = runTest ./go-neb.nix;
   goatcounter = runTest ./goatcounter.nix;
diff --git a/nixos/tests/go-csp-collector.nix b/nixos/tests/go-csp-collector.nix
new file mode 100644
index 000000000000..ec75b51506ff
--- /dev/null
+++ b/nixos/tests/go-csp-collector.nix
@@ -0,0 +1,66 @@
+{ lib, ... }:
+
+{
+  name = "go-csp-collector";
+  meta.maintainers = with lib.maintainers; [ stepbrobd ];
+
+  nodes.machine =
+    { pkgs, ... }:
+    {
+      services.go-csp-collector = {
+        enable = true;
+        settings = {
+          debug = true;
+          port = 9999;
+          health-check-path = "/health";
+          filter-file = pkgs.writeText "filter" "chrome-extension://";
+        };
+      };
+    };
+
+  testScript = ''
+    import json
+
+    # health check
+    machine.wait_for_unit("go-csp-collector.service")
+    machine.wait_for_open_port(9999)
+    machine.succeed("curl -f http://localhost:9999/health")
+
+    # send valid csp report
+    machine.succeed(
+      "curl -f -X POST http://127.0.0.1:9999/ "
+      "-H 'Content-Type: application/csp-report' "
+      "-d '" + json.dumps({
+        "csp-report": {
+          "document-uri": "https://example.com/",
+          "referrer": "https://example.com/",
+          "violated-directive": "script-src",
+          "effective-directive": "script-src",
+          "original-policy": "script-src 'self'",
+          "blocked-uri": "https://example.org/malicious.js",
+          "status-code": 200
+        }
+      }) + "'"
+    )
+    logs = machine.succeed("journalctl -u go-csp-collector.service")
+    assert "level=debug" in logs, "debug mode not enabled"
+    assert "blocked_uri" in logs, "csp report not logged"
+    assert "https://example.org/malicious.js" in logs, "blocked uri not in logs"
+
+    # check rejection
+    machine.fail(
+      "curl -f -X POST http://[::1]:9999/ "
+      "-H 'Content-Type: application/csp-report' "
+      "-d '" + json.dumps({
+        "csp-report": {
+          "document-uri": "https://example.com/",
+          "blocked-uri": "chrome-extension://something",
+          "violated-directive": "script-src"
+        }
+      }) + "'"
+    )
+    logs = machine.succeed("journalctl -u go-csp-collector.service")
+    assert "invalid resource" in logs, "filter rejection not logged"
+    assert "chrome-extension://" in logs, "filtered uri pattern not in logs"
+  '';
+}
diff --git a/pkgs/by-name/go/go-csp-collector/package.nix b/pkgs/by-name/go/go-csp-collector/package.nix
index 73046b614b05..c8437b2b122b 100644
--- a/pkgs/by-name/go/go-csp-collector/package.nix
+++ b/pkgs/by-name/go/go-csp-collector/package.nix
@@ -4,6 +4,7 @@
   fetchFromGitHub,
   versionCheckHook,
   nix-update-script,
+  nixosTests,
 }:
 
 buildGoModule (finalAttrs: {
@@ -36,7 +37,10 @@ buildGoModule (finalAttrs: {
   nativeInstallCheckInputs = [ versionCheckHook ];
   versionCheckProgramArg = "-version";
 
-  passthru.updateScript = nix-update-script { };
+  passthru = {
+    updateScript = nix-update-script { };
+    tests.service = nixosTests.go-csp-collector;
+  };
 
   meta = {
     description = "A content security policy violation collector written in Golang";