Content-Security-Policy-Report-Only Header
Table of Content
- Syntax
- Directives
- Examples
- Browser Compatibility
- How to modify Content-Security-Policy-Report-Only header
The Content-Security-Policy-Report-Only response header allows web developers to enable Content Security Policy (CSP) in "Report-only" mode where actual policy violations are reported but not blocked. This allows developers to evaluate the potential impact of enforcing a CSP and fine-tune the policy before enforcing it.
Syntax
Content-Security-Policy-Report-Only: script-src 'self'; object-src 'none'; report-uri /my_amazing_csp_report_parser;Directives
The directives for the Content-Security-Policy-Report-Only header are the same as those for the Content-Security-Policy header, apart from the 'report-uri' directive that specifies where the user agent should send reports about policy violation.
Examples
If you want to test a policy like default-src 'self' but still allow everything, you could use the following header:
Content-Security-Policy-Report-Only: default-src 'self'; report-uri /reporting_endpointBrowser Compatibility
| Browser | Compatibility |
|---|---|
| Chrome | Supported |
| Firefox | Supported |
| Safari | Supported |
| Opera | Supported |
| Edge | Supported |
How to modify Content-Security-Policy-Report-Only header
ModHeader is a Chrome extension that allows you to make changes to the request and response headers. To modify the Content-Security-Policy-Report-Only using ModHeader, follow these steps:
- Install and open ModHeader.
- Click "Add" and fill in the fields:
- Response headers:
Content-Security-Policy-Report-Only - Value: The CSP report-only policy you want to enforce.
- Response headers:
- Save the changes.
Now ModHeader will modify the Content-Security-Policy-Report-Only header for all requests from your browser, allowing you to test the impact of deploying a particular security policy without blocking any content. This powerful tool aids in balancing website functionality with website security.