CentralCSP
Register

Main menu

All articles

Next Article

CSP frame-ancestors vs X-Frame-Options

CSP enforce & report only

Monday, November 18, 2024
5 min read
Theotime QuereTheotime Quere
Content Security Policy offers two modes of operation: enforce and report-only. Understanding when and how to use each mode is crucial for effectively implementing and testing your security policies.

Understanding CSP Modes

Content Security Policy can be implemented in two different modes, each serving a specific purpose in your security strategy.

1. Enforce Mode

In enforce mode, the browser actively blocks any content that violates your CSP rules. This is the standard mode for protecting your website.

Example of CSP in enforce mode

Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.com;
Learn more about CSP

2. Report-Only Mode

Report-only mode monitors violations without blocking content. It's perfect for testing new policies or understanding your website's behavior.

Example of CSP in report-only mode

Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self' https://trusted.com; report-uri https://report.centralcsp.com/<myendpoint>;

Meta Tag Limitation

Report-Only mode is not supported in meta tags. Use HTTP headers for testing policies.

Learn about CSP meta tags limitations

When to Use Each Mode

  • Use Enforce Mode When:

    Your policy has been thoroughly tested and you're ready to actively protect your site

  • Use Report-Only Mode When:

    Testing new policies, analyzing potential impacts, or gathering data about your site's resource usage

Using Both Modes Together

You can use both modes simultaneously to enforce one policy while testing a stricter one.

Enforce, with a broad policy

Content-Security-Policy: default-src *; script-src 'self' * 'unsafe-inline' 'unsafe-eval';

Report-Only, with report-uri and more strict policy

Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self' https://trusted.com; img-src 'self' https://images.example.com; report-uri https://report.centralcsp.com/<myendpoint>;

Combined Usage

When using both modes, the enforce policy protects your site while the report-only policy helps you evaluate potential changes.

Implementing Reporting

For both modes, setting up violation reporting is crucial for monitoring and improving your policies.

Learn more about CSP reporting

Best Practices

  • Start with Report-Only mode to understand impact

  • Use reporting in both modes to track violations

  • Gradually transition from Report-Only to Enforce mode

  • Keep Report-Only policy when enforcing to test changes

Conclusion

Using CSP's enforce and report-only modes effectively helps you build and maintain strong security policies while minimizing disruption to your website. Always start with report-only mode to understand the impact of your policies, and use reporting endpoints to monitor violations in both modes.

Scan Your Website Now

Instantly analyze your website's Content Security Policy. Get actionable insights and improve your security posture in minutes.

Scan Your Website

Enter your website URL to analyze its Content Security Policy configuration.

Get started now by providing your website URL and launch the scan!

Your website is not yet online?
Try our CSP Evaluator

Continue Reading

How to setup nonce with NextJS

Learn how to properly setup nonce with NextJS to ensure a secure CSP configuration.

2024-12-03
5 min read
Theotime QuereTheotime Quere
Read more

frame-ancestors vs X-Frame-Options

Learn the differences between CSP frame-ancestors directive and X-Frame-Options header, and how to properly protect your site from clickjacking attacks.

2024-02-25
3 min read
Theotime QuereTheotime Quere
Read more

Main menu

All articles

Theotime Quere

Written by

Theotime Quere