CSP enforce & report only
Understanding CSP Modes
Content Security Policy can be implemented in two different modes, each serving a specific purpose in your security strategy.1. Enforce Mode
In enforce mode, the browser actively blocks any content that violates your CSP rules. This is the standard mode for protecting your website.Example of CSP in enforce mode
Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.com;
2. Report-Only Mode
Report-only mode monitors violations without blocking content. It's perfect for testing new policies or understanding your website's behavior.Example of CSP in report-only mode
Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self' https://trusted.com; report-uri https://report.centralcsp.com/<myendpoint>;
Meta Tag Limitation
Report-Only mode is not supported in meta tags. Use HTTP headers for testing policies.
When to Use Each Mode
Use Enforce Mode When:
Your policy has been thoroughly tested and you're ready to actively protect your site
Use Report-Only Mode When:
Testing new policies, analyzing potential impacts, or gathering data about your site's resource usage
Using Both Modes Together
You can use both modes simultaneously to enforce one policy while testing a stricter one.Enforce, with a broad policy
Content-Security-Policy: default-src *; script-src 'self' * 'unsafe-inline' 'unsafe-eval';
Report-Only, with report-uri and more strict policy
Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self' https://trusted.com; img-src 'self' https://images.example.com; report-uri https://report.centralcsp.com/<myendpoint>;
Combined Usage
When using both modes, the enforce policy protects your site while the report-only policy helps you evaluate potential changes.
Implementing Reporting
For both modes, setting up violation reporting is crucial for monitoring and improving your policies.
Learn more about CSP reportingBest Practices
Start with Report-Only mode to understand impact
Use reporting in both modes to track violations
Gradually transition from Report-Only to Enforce mode
Keep Report-Only policy when enforcing to test changes
Conclusion
Using CSP's enforce and report-only modes effectively helps you build and maintain strong security policies while minimizing disruption to your website. Always start with report-only mode to understand the impact of your policies, and use reporting endpoints to monitor violations in both modes.
Scan Your Website Now
Instantly analyze your website's Content Security Policy. Get actionable insights and improve your security posture in minutes.
Scan Your Website
Enter your website URL to analyze its Content Security Policy configuration.
Get started now by providing your website URL and launch the scan!
Continue Reading
How to setup nonce with NextJS
Learn how to properly setup nonce with NextJS to ensure a secure CSP configuration.

frame-ancestors vs X-Frame-Options
Learn the differences between CSP frame-ancestors directive and X-Frame-Options header, and how to properly protect your site from clickjacking attacks.
