The Content-Security-Policy-Report-Only HTTP header is a powerful tool for testing and monitoring the effects of a Content Security Policy (CSP) without enforcing it.
It allows you to define a CSP and receive violation reports in the browser's developer console or a specified reporting endpoint, without blocking any content.
This is particularly useful for testing CSP rules in a production environment without risking breaking your website
- On the Content Security Policy section turn the “Test mode” to ON
- A new Content-Security-Policy-Report-Only row is displayed, click on it to modify the content
- Define Your CSP Directives:
CSP directives define which sources of content are allowed or blocked.
For example:
default-src 'self': Allow resources only from the same origin.
script-src 'self' https://trusted.cdn.com: Allow scripts only from the same origin and a trusted CDN.
report-uri /csp-violation-report-endpoint: Specify the endpoint (mandatory) where violation reports will be sent.
