CSP Headers

Content Security Policy headers are essential security controls for web applications. This guide covers the main HTTP headers used for implementing and reporting CSP violations.

Core Headers

Content-Security-Policy

The primary header for implementing Content Security Policy. It defines the security policy for your application. Learn more about Content Security Policy

Basic CSP header configuration

Content-Security-Policy: 
  default-src' self';
  script-src'self' 'report-sample';
  style-src 'self';
  img-src 'self' ;
  font-src 'self';
  object-src 'none';
  base-uri 'none';
  form-action 'none';
  base-uri 'none';
  frame-ancestors 'none';
  frame-src 'self';
  connect-src 'none';
  upgrade-insecure-requests;
  report-uri https://report.centralcsp.com/<myendpoint>;
  • This is the main header for implementing CSP rules

  • Using 'unsafe-inline' and 'unsafe-eval' should be avoided when possible

  • Use the report-uri to collect violation reports from the browser

Content-Security-Policy-Report-Only

A non-enforcing version of CSP that reports violations without blocking content. Useful for testing and monitoring. Learn more about CSP Report-Only

Important : Report-Only mode is not supported in meta tags. It must be implemented via HTTP headers. See our CSP Meta Tags article for more details.

Report-Only CSP header configuration

Content-Security-Policy-Report-Only: 
  default-src' self';
  script-src'self' 'report-sample';
  style-src 'self';
  img-src 'self' ;
  font-src 'self';
  object-src 'none';
  base-uri 'none';
  form-action 'none';
  base-uri 'none';
  frame-ancestors 'none';
  frame-src 'self';
  connect-src 'none';
  upgrade-insecure-requests;
  report-uri https://report.centralcsp.com/<myendpoint>;
  • Useful for testing CSP without breaking your site

  • Must be implemented via HTTP headers, not meta tags

Reporting Headers

Report-To

Specifies where to send violation reports. Learn more about Report-To

Important : The `Report-To` header is deprecated. Use the `Reporting-Endpoints` header instead. See our Report-To article for more details.

Deprecated Report-To header configuration

Report-To: 
{
  "group":
      "csp-endpoint",
      "max_age":10886400,
      "endpoints": [
          {"url":"https://your-reporting-endpoint.com/csp-reports"}
      ]
  }
  • This header is deprecated. Use Reporting-Endpoints instead

Reporting-Endpoints

The modern way to specify reporting endpoints for various types of reports, including CSP violations. Learn more about Reporting-Endpoints

Modern Reporting-Endpoints header configuration

Reporting-Endpoints: csp-endpoint="https://your-reporting-endpoint.com/csp-reports"
  • Modern replacement for the deprecated Report-To header

  • Supports multiple endpoint types including CSP violations

Related Headers

X-Frame-Options

Controls whether a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Learn more about X-Frame-Options

Important : While the `X-Frame-Options` header is still supported, it's recommended to use the Content Security Policy `frame-ancestors` directive instead. CSP provides more granular control and better browser support for framing policies. The `X-Frame-Options` header can be used alongside CSP as a fallback for older browsers. See our X-Frame-Options VS Frame-Ancestors article for more details.

X-Frame-Options header values

X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM https://example.com/
  • DENY Blocks the resource

  • SAMEORIGIN Allows the resource to be loaded and executed

  • ALLOW-FROM uri Allows the resource to be loaded and executed

Best Practices

  • Start with Report-Only to identify potential issues without breaking your site

  • Use Reporting-Endpoints instead of the deprecated Report-To header

  • Always include frame-ancestors directive to prevent clickjacking

  • Regularly monitor violation reports to identify and address security issues

Related Resources

External Articles

Related Documentation Sections