CSP Headers
Content Security Policy headers are essential security controls for web applications. This guide covers the main HTTP headers used for implementing and reporting CSP violations.Core Headers
Content-Security-Policy
The primary header for implementing Content Security Policy. It defines the security policy for your application. Learn more about Content Security PolicyBasic CSP header configuration
Content-Security-Policy:
default-src' self';
script-src'self' 'report-sample';
style-src 'self';
img-src 'self' ;
font-src 'self';
object-src 'none';
base-uri 'none';
form-action 'none';
base-uri 'none';
frame-ancestors 'none';
frame-src 'self';
connect-src 'none';
upgrade-insecure-requests;
report-uri https://report.centralcsp.com/<myendpoint>;
This is the main header for implementing CSP rules
Using 'unsafe-inline' and 'unsafe-eval' should be avoided when possible
Use the report-uri to collect violation reports from the browser
Content-Security-Policy-Report-Only
A non-enforcing version of CSP that reports violations without blocking content. Useful for testing and monitoring. Learn more about CSP Report-OnlyImportant : Report-Only mode is not supported in meta tags. It must be implemented via HTTP headers. See our CSP Meta Tags article for more details.
Report-Only CSP header configuration
Content-Security-Policy-Report-Only:
default-src' self';
script-src'self' 'report-sample';
style-src 'self';
img-src 'self' ;
font-src 'self';
object-src 'none';
base-uri 'none';
form-action 'none';
base-uri 'none';
frame-ancestors 'none';
frame-src 'self';
connect-src 'none';
upgrade-insecure-requests;
report-uri https://report.centralcsp.com/<myendpoint>;
Useful for testing CSP without breaking your site
Must be implemented via HTTP headers, not meta tags
Reporting Headers
Report-To
Specifies where to send violation reports. Learn more about Report-ToImportant : The `Report-To` header is deprecated. Use the `Reporting-Endpoints` header instead. See our Report-To article for more details.
Deprecated Report-To header configuration
Report-To:
{
"group":
"csp-endpoint",
"max_age":10886400,
"endpoints": [
{"url":"https://your-reporting-endpoint.com/csp-reports"}
]
}
This header is deprecated. Use Reporting-Endpoints instead
Reporting-Endpoints
The modern way to specify reporting endpoints for various types of reports, including CSP violations. Learn more about Reporting-EndpointsModern Reporting-Endpoints header configuration
Reporting-Endpoints: csp-endpoint="https://your-reporting-endpoint.com/csp-reports"
Modern replacement for the deprecated Report-To header
Supports multiple endpoint types including CSP violations
Related Headers
X-Frame-Options
Controls whether a browser should be allowed to render a page in a<frame>
, <iframe>
, <embed>
or <object>
.
Learn more about X-Frame-Options
Important : While the `X-Frame-Options` header is still supported, it's recommended to use the Content Security Policy `frame-ancestors` directive instead. CSP provides more granular control and better browser support for framing policies. The `X-Frame-Options` header can be used alongside CSP as a fallback for older browsers. See our X-Frame-Options VS Frame-Ancestors article for more details.
X-Frame-Options header values
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM https://example.com/
DENY Blocks the resource
SAMEORIGIN Allows the resource to be loaded and executed
ALLOW-FROM uri Allows the resource to be loaded and executed
Best Practices
Start with Report-Only to identify potential issues without breaking your site
Use Reporting-Endpoints instead of the deprecated Report-To header
Always include frame-ancestors directive to prevent clickjacking
Regularly monitor violation reports to identify and address security issues
Related Resources
External Articles
- MDN Web Docs: Content-Security-Policy
- OWASP: Content Security Policy Cheat Sheet
- Google Web Fundamentals: Content Security Policy
Related Documentation Sections
- CSP Directives - Learn about specific CSP directives
- CSP Best Practices - Guidelines for implementing CSP
- CSP Reporting - Understanding CSP violation reports