CSP & meta tags
Learn how to implement Content-Security-Policy using meta tags and understand the limitations compared to HTTP headers.
2024-11-16
4 min read
Theotime Quere
Read more →
Main menu
All articles
Next Article
CSP - What happens if i define multiple policies?
CSP enforce & report only
Content Security Policy offers two modes of operation: enforce and report-only. Understanding when and how to use each mode is crucial for effectively implementing and testing your security policies.
Understanding CSP Modes
Content Security Policy can be implemented in two different modes, each serving a specific purpose in your security strategy.
1. Enforce Mode
In enforce mode, the browser actively blocks any content that violates your CSP rules. This is the standard mode for protecting your website.
Example of CSP in enforce mode
Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.com;Learn more about CSP directives
2. Report-Only Mode
Report-only mode monitors violations without blocking content. It's perfect for testing new policies or understanding your website's behavior.
Example of CSP in report-only mode
Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self' https://trusted.com; report-uri https://report.centralcsp.com/your-endpoint;Meta Tag Limitation
Report-Only mode is not supported in meta tags. Use HTTP headers for testing policies.
Learn about CSP meta tags limitations
When to Use Each Mode
Use Enforce Mode When:
Your policy has been thoroughly tested and you're ready to actively protect your site
Use Report-Only Mode When:
Testing new policies, analyzing potential impacts, or gathering data about your site's resource usage
Using Both Modes Together
You can use both modes simultaneously to enforce one policy while testing a stricter one.
Enforce, with a broad policy
Content-Security-Policy: default-src *; script-src 'self' * 'unsafe-inline' 'unsafe-eval';Report-Only, with report-uri and more strict policy
Content-Security-Policy-Report-Only: Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self' https://trusted.com; img-src 'self' https://images.example.com; report-uri https://report.centralcsp.com/your-endpoint;Learn more about multiple CSP policies in the same time
Combined Usage
When using both modes, the enforce policy protects your site while the report-only policy helps you evaluate potential changes.
Implementing Reporting
For both modes, setting up violation reporting is crucial for monitoring and improving your policies:
Create your Account
Sign up for a CentralCSP account in a minute. Get 14 days free trial.
Create a Reporting Endpoint
Once logged in, register you application and get your reporting endpoint. You'll receive a unique endpoint URL that looks like: https://report.centralcsp.com/[your-endpoint-id]
Configure Your CSP Headers
Add your new endpoint URL to your CSP configuration using both report-uri and report-to directives for maximum browser compatibility.
Monitor Violations
Access your CentralCSP dashboard to view and analyze any CSP violations in real-time. You'll receive detailed reports about blocked resources and potential security issues.
First Tier Benefits
The first tier includes all essential features: real-time violation reporting, detailed analytics, and support for multiple domains. Upgrade only when you need advanced features like custom alerting, API access, or higher volume reporting.
Best Practices
Start with Report-Only mode to understand impact
Use reporting in both modes to track violations
Gradually transition from Report-Only to Enforce mode
Keep Report-Only policy when enforcing to test changes
Conclusion
Using CSP's enforce and report-only modes effectively helps you build and maintain strong security policies while minimizing disruption to your website. Always start with report-only mode to understand the impact of your policies, and use reporting endpoints to monitor violations in both modes.
Continue Reading
How to setup my reporting endpoint?
Learn how to properly setup your reporting endpoint using report-uri & CentralCSP
2024-11-22
3 min read
Theotime Quere
Read more →
Main menu
All articles
Written by
Theotime Quere