Content-Security-Policy-Report-Only Header

Table of Content

The Content-Security-Policy-Report-Only response header allows web developers to enable Content Security Policy (CSP) in "Report-only" mode where actual policy violations are reported but not blocked. This allows developers to evaluate the potential impact of enforcing a CSP and fine-tune the policy before enforcing it.


Content-Security-Policy-Report-Only: script-src 'self'; object-src 'none'; report-uri /my_amazing_csp_report_parser;


The directives for the Content-Security-Policy-Report-Only header are the same as those for the Content-Security-Policy header, apart from the 'report-uri' directive that specifies where the user agent should send reports about policy violation.


If you want to test a policy like default-src 'self' but still allow everything, you could use the following header:

Content-Security-Policy-Report-Only: default-src 'self'; report-uri /reporting_endpoint

Browser Compatibility

Browser Compatibility
Chrome Supported
Firefox Supported
Safari Supported
Opera Supported
Edge Supported

How to modify Content-Security-Policy-Report-Only header

ModHeader is a Chrome extension that allows you to make changes to the request and response headers. To modify the Content-Security-Policy-Report-Only using ModHeader, follow these steps:

  1. Install and open ModHeader.
  2. Click "Add" and fill in the fields:
    • Response headers: Content-Security-Policy-Report-Only
    • Value: The CSP report-only policy you want to enforce.
  3. Save the changes.

Now ModHeader will modify the Content-Security-Policy-Report-Only header for all requests from your browser, allowing you to test the impact of deploying a particular security policy without blocking any content. This powerful tool aids in balancing website functionality with website security.