frame-ancestors vs X-Frame-Options
Learn the differences between CSP frame-ancestors directive and X-Frame-Options header, and how to properly protect your site from clickjacking attacks.
2024-02-25
3 min read

Theotime Quere
Read more →
Main menu
All articles
Next Article
CSP - What happens if i define multiple policies?
Content Security Policy offers two modes of operation: enforce and report-only. Understanding when and how to use each mode is crucial for effectively implementing and testing your security policies.
Content Security Policy can be implemented in two different modes, each serving a specific purpose in your security strategy.
In enforce mode, the browser actively blocks any content that violates your CSP rules. This is the standard mode for protecting your website.
Example of CSP in enforce mode
Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.com;
Report-only mode monitors violations without blocking content. It's perfect for testing new policies or understanding your website's behavior.
Example of CSP in report-only mode
Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self' https://trusted.com; report-uri https://report.centralcsp.com/your-endpoint;
Meta Tag Limitation
Report-Only mode is not supported in meta tags. Use HTTP headers for testing policies.
Use Enforce Mode When:
Your policy has been thoroughly tested and you're ready to actively protect your site
Use Report-Only Mode When:
Testing new policies, analyzing potential impacts, or gathering data about your site's resource usage
You can use both modes simultaneously to enforce one policy while testing a stricter one.
Enforce, with a broad policy
Content-Security-Policy: default-src *; script-src 'self' * 'unsafe-inline' 'unsafe-eval';
Report-Only, with report-uri and more strict policy
Content-Security-Policy-Report-Only: Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self' https://trusted.com; img-src 'self' https://images.example.com; report-uri https://report.centralcsp.com/your-endpoint;
Combined Usage
When using both modes, the enforce policy protects your site while the report-only policy helps you evaluate potential changes.
For both modes, setting up violation reporting is crucial for monitoring and improving your policies:
Sign up for a CentralCSP account in a minute. Get 14 days free trial.
Once logged in, register you application and get your reporting endpoint. You'll receive a unique endpoint URL that looks like: https://report.centralcsp.com/[your-endpoint-id]
Add your new endpoint URL to your CSP configuration using both report-uri and report-to directives for maximum browser compatibility.
Access your CentralCSP dashboard to view and analyze any CSP violations in real-time. You'll receive detailed reports about blocked resources and potential security issues.
First Tier Benefits
The first tier includes all essential features: real-time violation reporting, detailed analytics, and support for multiple domains. Upgrade only when you need advanced features like custom alerting, API access, or higher volume reporting.
Start with Report-Only mode to understand impact
Use reporting in both modes to track violations
Gradually transition from Report-Only to Enforce mode
Keep Report-Only policy when enforcing to test changes
Using CSP's enforce and report-only modes effectively helps you build and maintain strong security policies while minimizing disruption to your website. Always start with report-only mode to understand the impact of your policies, and use reporting endpoints to monitor violations in both modes.
Learn the differences between CSP frame-ancestors directive and X-Frame-Options header, and how to properly protect your site from clickjacking attacks.
2024-02-25
3 min read
Theotime Quere
Read more →
Learn how to properly setup your reporting endpoint using report-uri & CentralCSP
2024-11-22
3 min read
Theotime Quere
Read more →
Main menu
All articles
Written by
Theotime Quere
CentralSaaS © 2025