Content-Security-Policy-Report-Only

The HTTP Content-Security-Policy-Report-Only response header allows web developers to send CSP violation reports to experiment with policies by monitoring (but not enforcing) their effects. This allows CSP violations to be caught and repaired quickly during testing.

Content-Security-Policy-Report-Only is used in the same way as Content-Security-Policy but violations are not enforced. The CSP report-to directive must be specified for reports to be sent: if not, the operation won't have any effect.

Violation reports are sent using the Reporting API to endpoints defined in a Reporting-Endpoints HTTP response header and selected using the CSP report-to directive.

For more information, see our Content Security Policy (CSP) guide.

Note: The header can also be used with the deprecated report-uri directive (this is being replaced by report-to). The usage and resulting report syntax is slightly different; see the report-uri topic for more details.

Header type Response header
Forbidden header name no
This header is not supported inside a <meta> element.

Syntax

http
Content-Security-Policy-Report-Only: <policy-directive>; ...; <policy-directive>; report-to <endpoint-name>

Directives

The directives of the Content-Security-Policy header can also be applied to Content-Security-Policy-Report-Only, except for the sandbox directive, which will be ignored.

The CSP report-to directive should be used with this header or it will have no effect.

Examples

To use the report-to directive, you first need to define a corresponding endpoint using the Reporting-Endpoints HTTP response header. In the example below we define a single endpoint named csp-endpoint.

http
Reporting-Endpoints: csp-endpoint="https://example.com/csp-reports"

We might then define the destination of the report using report-to and report-uri, as shown below. Note that this particular report would be triggered if the page loaded resources insecurely, or from inline code.

http
Content-Security-Policy-Report-Only: default-src https:;
  report-uri /csp-report-url/;
  report-to csp-endpoint;

Note: The report-to directive is preferred over the deprecated report-uri, but we declare both because report-to does not yet have full cross-browser support.

Specifications

Specification
Content Security Policy Level 3
# cspro-header

Browser compatibility

BCD tables only load in the browser

See also