Content Security Policy (CSP)
Quick Reference Guide


Content-Security-Policy-Report-Only Header

What is the Content-Security-Policy-Report-Only header?

Why use the Content-Security-Policy-Report-Only Header?

It is a great way to see the possible effect of implementing a Content-Security-Policy header without actually blocking anything. When you use Content-Security-Policy-Report-Only it only sends reports to the developer tools console and if you have specified a report-to or report-uri directive it can post a JSON representation of the a violation to a URI endpoint that you specify.

Content-Security-Policy-Report-Only Browser Support

CSP Level 1


Supported On:


Chrome 25+ (2013)
Firefox 23+ (2013)
Safari 7+ (2013)
Edge 12+ (2015)

The Content-Security-Policy-Report-Only header has been supported since the first version of CSP Level 1. This means that support has existed since 2013: Chrome 25+, Firefox 23+, Safari 7+ or IE Edge 12+.

CSP Developer Field Guide

CSP Developer Field Guide

Want to learn the ins and outs CSP? Grab a copy of the CSP Developer Field Guide. It's a short and sweet guide to help developers get up to speed quickly.

Grab a Copy

Struggling to stay on top of security advisories?

Advisory Week is a weekly roundup of all the security advisories published by the major software vendors.