Content-Security-Policy-Report-Only
The HTTP Content-Security-Policy-Report-Only response header allows web developers to send CSP violation reports to experiment with policies by monitoring (but not enforcing) their effects.
This allows CSP violations to be caught and repaired quickly during testing.
Content-Security-Policy-Report-Only is used in the same way as Content-Security-Policy but violations are not enforced.
The CSP report-to directive must be specified for reports to be sent: if not, the operation won't have any effect.
Violation reports are sent using the Reporting API to endpoints defined in a Reporting-Endpoints HTTP response header and selected using the CSP report-to directive.
For more information, see our Content Security Policy (CSP) guide.
Note: The header can also be used with the deprecated report-uri directive (this is being replaced by report-to).
The usage and resulting report syntax is slightly different; see the report-uri topic for more details.
| Header type | Response header |
|---|---|
| Forbidden header name | no |
This header is not supported inside a <meta> element. |
|
Syntax
Content-Security-Policy-Report-Only: <policy-directive>; ...; <policy-directive>; report-to <endpoint-name>
Directives
The directives of the Content-Security-Policy header can also be applied to Content-Security-Policy-Report-Only, except for the sandbox directive, which will be ignored.
The CSP report-to directive should be used with this header or it will have no effect.
Examples
To use the report-to directive, you first need to define a corresponding endpoint using the Reporting-Endpoints HTTP response header.
In the example below we define a single endpoint named csp-endpoint.
Reporting-Endpoints: csp-endpoint="https://example.com/csp-reports"
We might then define the destination of the report using report-to and report-uri, as shown below.
Note that this particular report would be triggered if the page loaded resources insecurely, or from inline code.
Content-Security-Policy-Report-Only: default-src https:;
report-uri /csp-report-url/;
report-to csp-endpoint;
Note: The report-to directive is preferred over the deprecated report-uri, but we declare both because report-to does not yet have full cross-browser support.
Specifications
| Specification |
|---|
| Content Security Policy Level 3 # cspro-header |
Browser compatibility
BCD tables only load in the browser
See also
Content-Security-Policy- CSP
report-todirective - CSP
report-uridirective Deprecated