CentralCSP

Main menu

All articles

Next Article

CSP - What happens if i define multiple policies?

CSP enforce & report only

Monday, November 18, 2024

5 min read

Theotime Quere

Theotime Quere

Content Security Policy offers two modes of operation: enforce and report-only. Understanding when and how to use each mode is crucial for effectively implementing and testing your security policies.

Understanding CSP Modes

Content Security Policy can be implemented in two different modes, each serving a specific purpose in your security strategy.

1. Enforce Mode

In enforce mode, the browser actively blocks any content that violates your CSP rules. This is the standard mode for protecting your website.

Example of CSP in enforce mode

Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.com;
Learn more about CSP directives

2. Report-Only Mode

Report-only mode monitors violations without blocking content. It's perfect for testing new policies or understanding your website's behavior.

Example of CSP in report-only mode

Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self' https://trusted.com; report-uri https://report.centralcsp.com/your-endpoint;

Meta Tag Limitation

Report-Only mode is not supported in meta tags. Use HTTP headers for testing policies.

Learn about CSP meta tags limitations

When to Use Each Mode

  • Use Enforce Mode When:

    Your policy has been thoroughly tested and you're ready to actively protect your site

  • Use Report-Only Mode When:

    Testing new policies, analyzing potential impacts, or gathering data about your site's resource usage

Using Both Modes Together

You can use both modes simultaneously to enforce one policy while testing a stricter one.

Enforce, with a broad policy

Content-Security-Policy: default-src *; script-src 'self' * 'unsafe-inline' 'unsafe-eval';

Report-Only, with report-uri and more strict policy

Content-Security-Policy-Report-Only: Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self' https://trusted.com; img-src 'self' https://images.example.com; report-uri https://report.centralcsp.com/your-endpoint;
Learn more about multiple CSP policies in the same time

Combined Usage

When using both modes, the enforce policy protects your site while the report-only policy helps you evaluate potential changes.

Implementing Reporting

For both modes, setting up violation reporting is crucial for monitoring and improving your policies:

Create your Account

Sign up for a CentralCSP account in a minute. Get 14 days free trial.

Create a Reporting Endpoint

Once logged in, register you application and get your reporting endpoint. You'll receive a unique endpoint URL that looks like: https://report.centralcsp.com/[your-endpoint-id]

Configure Your CSP Headers

Add your new endpoint URL to your CSP configuration using both report-uri and report-to directives for maximum browser compatibility.

Monitor Violations

Access your CentralCSP dashboard to view and analyze any CSP violations in real-time. You'll receive detailed reports about blocked resources and potential security issues.

First Tier Benefits

The first tier includes all essential features: real-time violation reporting, detailed analytics, and support for multiple domains. Upgrade only when you need advanced features like custom alerting, API access, or higher volume reporting.

Best Practices

  • Start with Report-Only mode to understand impact

  • Use reporting in both modes to track violations

  • Gradually transition from Report-Only to Enforce mode

  • Keep Report-Only policy when enforcing to test changes

Conclusion

Using CSP's enforce and report-only modes effectively helps you build and maintain strong security policies while minimizing disruption to your website. Always start with report-only mode to understand the impact of your policies, and use reporting endpoints to monitor violations in both modes.

Continue Reading

frame-ancestors vs X-Frame-Options

Learn the differences between CSP frame-ancestors directive and X-Frame-Options header, and how to properly protect your site from clickjacking attacks.

2024-02-25

3 min read

Theotime Quere

Theotime Quere

Read more →

How to setup my reporting endpoint?

Learn how to properly setup your reporting endpoint using report-uri & CentralCSP

2024-11-22

3 min read

Theotime Quere

Theotime Quere

Read more →

Docs

CSP ScannerCSP EvaluatorReporting Endpoint

Contact


CentralSaaS © 2025