Content-Security-Policy-Report-Only
Baseline Widely available
This feature is well established and works across many devices and browser versions. It’s been available across browsers since August 2016.
The HTTP Content-Security-Policy-Report-Only
response header helps to monitor Content Security Policy (CSP) violations and their effects without enforcing the security policies.
This header allows you to test or repair violations before a specific Content-Security-Policy
is applied and enforced.
The CSP report-to
directive must be specified for reports to be sent: if not, the operation won't have any effect.
Violation reports are sent using the Reporting API to endpoints defined in a Reporting-Endpoints
HTTP response header and selected using the CSP report-to
directive.
For more information, see our Content Security Policy (CSP) guide.
Note: The header can also be used with the deprecated report-uri
directive (this is being replaced by report-to
).
The usage and resulting report syntax is slightly different; see the report-uri
topic for more details.
Header type | Response header |
---|---|
Forbidden header name | No |
This header is not supported inside a <meta> element. |
Syntax
Content-Security-Policy-Report-Only: <policy-directive>; …; <policy-directive>; report-to <endpoint-name>
Directives
The Content-Security-Policy-Report-Only
header supports all Content-Security-Policy
directives except sandbox
, which is ignored.
Note: The CSP report-to
directive should be used with this header or it will have no effect.
Examples
Using Content-Security-Policy-Report-Only to send CSP reports
To use the report-to
directive, you first need to define a corresponding endpoint using the Reporting-Endpoints
response header.
In the example below, we define a single endpoint named csp-endpoint
.
Reporting-Endpoints: csp-endpoint="https://example.com/csp-reports"
We can then define the destination of the report using report-to
and report-uri
, as shown below.
Note that this particular report would be triggered if the page loaded resources insecurely, or from inline code.
Content-Security-Policy-Report-Only: default-src https:;
report-uri /csp-report-url/;
report-to csp-endpoint;
Note: The report-to
directive is preferred over the deprecated report-uri
, but we declare both because report-to
does not yet have full cross-browser support.
Specifications
Specification |
---|
Content Security Policy Level 3 # cspro-header |
Browser compatibility
BCD tables only load in the browser
See also
Content-Security-Policy
- CSP
report-to
directive - CSP
report-uri
directive Deprecated