Content-Security-Policy-Report-Only
Baseline Widely available
This feature is well established and works across many devices and browser versions. It’s been available across browsers since August 2016.
The HTTP Content-Security-Policy-Report-Only response header helps to monitor Content Security Policy (CSP) violations and their effects without enforcing the security policies.
This header allows you to test or repair violations before a specific Content-Security-Policy is applied and enforced.
The CSP report-to directive must be specified for reports to be sent: if not, the operation won't have any effect.
Violation reports are sent using the Reporting API to endpoints defined in a Reporting-Endpoints HTTP response header and selected using the CSP report-to directive.
For more information, see our Content Security Policy (CSP) guide.
Note:
The header can also be used with the deprecated report-uri directive (this is being replaced by report-to).
The usage and resulting report syntax is slightly different; see the report-uri topic for more details.
| Header type | Response header |
|---|---|
| Forbidden header name | No |
This header is not supported inside a <meta> element.
|
|
Syntax
Content-Security-Policy-Report-Only: <policy-directive>; …; <policy-directive>; report-to <endpoint-name>
Directives
The Content-Security-Policy-Report-Only header supports all Content-Security-Policy directives except sandbox, which is ignored.
Note:
The CSP report-to directive should be used with this header or it will have no effect.
Examples
Using Content-Security-Policy-Report-Only to send CSP reports
To use the report-to directive, you first need to define a corresponding endpoint using the Reporting-Endpoints response header.
In the example below, we define a single endpoint named csp-endpoint.
Reporting-Endpoints: csp-endpoint="https://example.com/csp-reports"
We can then define the destination of the report using report-to and report-uri, as shown below.
Note that this particular report would be triggered if the page loaded resources insecurely, or from inline code.
Content-Security-Policy-Report-Only: default-src https:;
report-uri /csp-report-url/;
report-to csp-endpoint;
Note:
The report-to directive is preferred over the deprecated report-uri, but we declare both because report-to does not yet have full cross-browser support.
Specifications
| Specification |
|---|
| Content Security Policy Level 3 # cspro-header |
Browser compatibility
BCD tables only load in the browser
See also
Content-Security-Policy- CSP
report-todirective - CSP
report-uridirective Deprecated