Content-Security-Policy-Report-Only

Baseline Widely available

This feature is well established and works across many devices and browser versions. It’s been available across browsers since August 2016.

The HTTP Content-Security-Policy-Report-Only response header helps to monitor Content Security Policy (CSP) violations and their effects without enforcing the security policies. This header allows you to test or repair violations before a specific Content-Security-Policy is applied and enforced.

The CSP report-to directive must be specified for reports to be sent: if not, the operation won't have any effect.

Violation reports are sent using the Reporting API to endpoints defined in a Reporting-Endpoints HTTP response header and selected using the CSP report-to directive.

For more information, see our Content Security Policy (CSP) guide.

Note: The header can also be used with the deprecated report-uri directive (this is being replaced by report-to). The usage and resulting report syntax is slightly different; see the report-uri topic for more details.

Header type Response header
Forbidden header name No
This header is not supported inside a <meta> element.

Syntax

http
Content-Security-Policy-Report-Only: <policy-directive>; …; <policy-directive>; report-to <endpoint-name>

Directives

The Content-Security-Policy-Report-Only header supports all Content-Security-Policy directives except sandbox, which is ignored.

Note: The CSP report-to directive should be used with this header or it will have no effect.

Examples

Using Content-Security-Policy-Report-Only to send CSP reports

To use the report-to directive, you first need to define a corresponding endpoint using the Reporting-Endpoints response header. In the example below, we define a single endpoint named csp-endpoint.

http
Reporting-Endpoints: csp-endpoint="https://example.com/csp-reports"

We can then define the destination of the report using report-to and report-uri, as shown below. Note that this particular report would be triggered if the page loaded resources insecurely, or from inline code.

http
Content-Security-Policy-Report-Only: default-src https:;
  report-uri /csp-report-url/;
  report-to csp-endpoint;

Note: The report-to directive is preferred over the deprecated report-uri, but we declare both because report-to does not yet have full cross-browser support.

Specifications

Specification
Content Security Policy Level 3
# cspro-header

Browser compatibility

Report problems with this compatibility data on GitHub
desktopmobile
Chrome
Edge
Firefox
Opera
Safari
Chrome Android
Firefox for Android
Opera Android
Safari on iOS
Samsung Internet
WebView Android
WebView on iOS
Content-Security-Policy-Report-Only

Legend

Tip: you can click/tap on a cell for more information.

Full support
Full support

See also