Content-Security-Policy-Report-Only
{{HTTPSidebar}}
The HTTP Content-Security-Policy-Report-Only {{Glossary("response header")}} helps to monitor Content Security Policy (CSP) violations and their effects without enforcing the security policies.
This header allows you to test or repair violations before a specific {{HTTPHeader("Content-Security-Policy")}} is applied and enforced.
The CSP {{CSP("report-to")}} directive must be specified for reports to be sent: if not, the operation won’t have any effect.
Violation reports are sent using the Reporting API to endpoints defined in a {{HTTPHeader("Reporting-Endpoints")}} HTTP response header and selected using the CSP {{CSP("report-to")}} directive.
For more information, see our Content Security Policy (CSP) guide.
[!NOTE] The header can also be used with the deprecated
{{CSP("report-uri")}}directive (this is being replaced by{{CSP("report-to")}}). The usage and resulting report syntax is slightly different; see the{{CSP("report-uri")}}topic for more details.
| Header type | `{{Glossary("Response header")}}` |
|---|---|
| `{{Glossary("Forbidden header name")}}` | No |
| This header is not supported inside a `{{HTMLElement("meta")}}` element. | |
Syntax
Content-Security-Policy-Report-Only: <policy-directive>; …; <policy-directive>; report-to <endpoint-name>
Directives
The Content-Security-Policy-Report-Only header supports all {{HTTPHeader("Content-Security-Policy")}} directives except sandbox, which is ignored.
[!NOTE] The CSP
{{CSP("report-to")}}directive should be used with this header or it will have no effect.
Examples
Using Content-Security-Policy-Report-Only to send CSP reports
To use the {{CSP("report-to")}} directive, you first need to define a corresponding endpoint using the {{HTTPHeader("Reporting-Endpoints")}} response header.
In the example below, we define a single endpoint named csp-endpoint.
Reporting-Endpoints: csp-endpoint="https://example.com/csp-reports"
We can then define the destination of the report using {{CSP("report-to")}} and {{CSP("report-uri")}} , as shown below.
Note that this particular report would be triggered if the page loaded resources insecurely, or from inline code.
Content-Security-Policy-Report-Only: default-src https:;
report-uri /csp-report-url/;
report-to csp-endpoint;
[!NOTE] The
report-todirective is preferred over the deprecatedreport-uri, but we declare both becausereport-todoes not yet have full cross-browser support.
Specifications
{{Specifications}}
Browser compatibility
{{Compat}}
See also
{{HTTPHeader("Content-Security-Policy")}}- CSP
{{CSP("report-to")}}directive - CSP
{{CSP("report-uri")}}directive{{deprecated_inline}}