Content-Security-Policy-Report-Only

Baseline Widely available

This feature is well established and works across many devices and browser versions. It’s been available across browsers since August 2016.

The HTTP Content-Security-Policy-Report-Only response header helps to monitor Content Security Policy (CSP) violations and their effects without enforcing the security policies. This header allows you to test or repair violations before a specific Content-Security-Policy is applied and enforced.

The CSP report-to directive must be specified for reports to be sent: if not, the operation won't have any effect.

Violation reports are sent using the Reporting API to endpoints defined in a Reporting-Endpoints HTTP response header and selected using the CSP report-to directive.

For more information, see our Content Security Policy (CSP) guide.

Note: The header can also be used with the deprecated report-uri directive (this is being replaced by report-to). The usage and resulting report syntax is slightly different; see the report-uri topic for more details.

Header type Response header
Forbidden header name No
This header is not supported inside a <meta> element.

Syntax

http
Content-Security-Policy-Report-Only: <policy-directive>; …; <policy-directive>; report-to <endpoint-name>

Directives

The Content-Security-Policy-Report-Only header supports all Content-Security-Policy directives except sandbox, which is ignored.

Note: The CSP report-to directive should be used with this header or it will have no effect.

Examples

Using Content-Security-Policy-Report-Only to send CSP reports

To use the report-to directive, you first need to define a corresponding endpoint using the Reporting-Endpoints response header. In the example below, we define a single endpoint named csp-endpoint.

http
Reporting-Endpoints: csp-endpoint="https://example.com/csp-reports"

We can then define the destination of the report using report-to and report-uri, as shown below. Note that this particular report would be triggered if the page loaded resources insecurely, or from inline code.

http
Content-Security-Policy-Report-Only: default-src https:;
  report-uri /csp-report-url/;
  report-to csp-endpoint;

Note: The report-to directive is preferred over the deprecated report-uri, but we declare both because report-to does not yet have full cross-browser support.

Specifications

Specification
Content Security Policy Level 3
# cspro-header

Browser compatibility

BCD tables only load in the browser

See also