CSP - What happens if i define multiple policies?
Multiple policies defined in the same page
While it's possible to define your CSP across multiple headers, it's recommended to consolidate your policy into a single header. This approach offers better maintainability and makes it easier to predict the final policy behavior.Single Header Approach (Recommended)
Example of a consolidated CSP in a single header
Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.com; style-src 'self' 'unsafe-inline';
Multiple Headers Approach
Example of CSP split across multiple headers
Content-Security-Policy: default-src 'self';
Content-Security-Policy: script-src 'self' https://trusted.com;
Content-Security-Policy: style-src 'self' 'unsafe-inline';
Policy Combination
When multiple policies are present, browsers will apply every directive from each policy, resulting in the most restrictive combination of all policies.
Policy Intersection Example
Since each Content Security Policy operates independently, when multiple policies are defined, the browser enforces each one separately. The resulting effective policy becomes the most restrictive combination of all defined policies. Let's see this in action:First CSP header
Content-Security-Policy: script-src 'self' https://trusted.com https://analytics.com;
Second CSP header
Content-Security-Policy: script-src 'self' https://trusted.com;
Result
The final policy will only allow scripts from 'self' and https://trusted.com. The https://analytics.com source will be blocked because it's not present in all script-src directives.
CSP Multiple Policies behavior authorized

Report
As the report-only policy is blocking website.com, it will be reported as a violation on the report uri defined in the report-only policy.
CSP Multiple Policies behavior blocked

Report
As the one of the CSP enforced is blocking website.com, it will be reported as a violation on the report uri defined in the enforced policy 1.
Report-Only and Enforced Policies Together
You can use both Content-Security-Policy and Content-Security-Policy-Report-Only headers simultaneously. This allows you to enforce one policy while testing another one in report-only mode.Enforced CSP header
Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.com;
Report-only CSP header (stricter policy being tested)
Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self';
Behavior
In this example, scripts from trusted.com will be allowed to execute (due to the enforced policy) but will generate violation reports (due to the stricter report-only policy).
Conclusion
While it's possible to implement multiple CSP policies, consolidating them into a single, well-structured policy is the recommended approach. This simplifies maintenance, reduces the risk of conflicts, and makes it easier to understand and update your security policies. Always use CSP reporting to monitor policy effectiveness and identify potential issues.
Continue Reading
CSP enforce & report only
Understanding the difference between enforce and report only modes in Content-Security-Policy implementation.

CSP & meta tags
Learn how to implement Content-Security-Policy using meta tags and understand the limitations compared to HTTP headers.
