Content-Security-Policy-Report-Only
The HTTP Content-Security-Policy-Report-Only
response header allows web developers to send CSP violation reports to experiment with policies by monitoring (but not enforcing) their effects.
This allows CSP violations to be caught and repaired quickly during testing.
Content-Security-Policy-Report-Only
is used in the same way as Content-Security-Policy
but violations are not enforced.
The CSP report-to
directive must be specified for reports to be sent: if not, the operation won't have any effect.
Violation reports are sent using the Reporting API to endpoints defined in a Reporting-Endpoints
HTTP response header and selected using the CSP report-to
directive.
For more information, see our Content Security Policy (CSP) guide.
Note: The header can also be used with the deprecated report-uri
directive (this is being replaced by report-to
).
The usage and resulting report syntax is slightly different; see the report-uri
topic for more details.
Header type | Response header |
---|---|
Forbidden header name | no |
This header is not supported inside a <meta> element. |
Syntax
Content-Security-Policy-Report-Only: <policy-directive>; ...; <policy-directive>; report-to <endpoint-name>
Directives
The directives of the Content-Security-Policy
header can also be applied to Content-Security-Policy-Report-Only
, except for the sandbox
directive, which will be ignored.
The CSP report-to
directive should be used with this header or it will have no effect.
Examples
To use the report-to
directive, you first need to define a corresponding endpoint using the Reporting-Endpoints
HTTP response header.
In the example below we define a single endpoint named csp-endpoint
.
Reporting-Endpoints: csp-endpoint="https://example.com/csp-reports"
We might then define the destination of the report using report-to
and report-uri
, as shown below.
Note that this particular report would be triggered if the page loaded resources insecurely, or from inline code.
Content-Security-Policy-Report-Only: default-src https:;
report-uri /csp-report-url/;
report-to csp-endpoint;
Note: The report-to
directive is preferred over the deprecated report-uri
, but we declare both because report-to
does not yet have full cross-browser support.
Specifications
Specification |
---|
Content Security Policy Level 3 # cspro-header |
Browser compatibility
BCD tables only load in the browser
See also
Content-Security-Policy
- CSP
report-to
directive - CSP
report-uri
directive Deprecated