Product
HTTP Interceptor

A Power HTTP Interceptor to Intercept, Record, Debug & Modify HTTP Requests

API Client

A lightweight and secure API Client for faster API Development & Testing

API Mocking

Build frontend faster without waiting for backend.

Solutions
Frontend Web/Mobile Developers

Requestly improves front-end workflows with local JS testing, mocking, and SessionBook debugging.

For QA engineers

QA engineers love Requestly for its features and ease of use, allowing easy edge case testing.

Support Engineer

Support engineers value Requestly for debugging, demoing, and overriding GTM and Adobe scripts.

Backend Developers

Requestly helps in improving back-end development workflows, by enabling testing.

Pricing
Resources
Pricing
Blog
Case Studies
Status
Github
Release Note
Student Programme
🎉 Requestly joins BrowserStack to build the future of application testing. Read more

HTTP Headers

Content Security Policy Report Only

HTTP Header

The HTTP Content-Security-Policy-Report-Only response header helps monitor Content Security Policy (CSP) violations and their effects without enforcing security policies.
This header enables testing or fixing violations before a specific Content-Security-Policy is applied and enforced.

The CSP report-to directive must be specified for reports to be sent; otherwise, the operation will have no effect.

Violation reports are sent via the Reporting API to endpoints defined in a Reporting-Endpoints HTTP response header and are selected using the CSP report-to directive.

For additional details, refer to our comprehensive Content Security Policy (CSP) guide.

Note:
The header can also be used with the deprecated report-uri directive, which is being replaced by report-to.
The syntax for usage and reports differs slightly; see the report-uri topic for more information.

Syntax

Content-Security-Policy-Report-Only: <policy-directive>; …; <policy-directive>; report-to <endpoint-name>

Directives

The Content-Security-Policy-Report-Only header supports all Content-Security-Policy directives except sandbox, which is ignored.

Example

Here are some practical examples of configuring Content Security Policy (CSP) reports to enhance web security and monitor policy violations.

Using Content-Security-Policy-Report-Only to send CSP reports

To implement reporting with the report-to directive, you must first define the reporting endpoint through the Reporting-Endpoints response header. For instance, the following example sets up a single endpoint named csp-endpoint.

http
Reporting-Endpoints: csp-endpoint="https://example.com/csp-reports"

Next, specify the destination of the report using report-to and report-uri. This configuration ensures that if a page loads resources insecurely or executes inline code, a report will be triggered.

http
Content-Security-Policy-Report-Only: default-src https:;
 report-uri /csp-report-url/;
 report-to csp-endpoint;

Note:
The report-to directive is the preferred method for reporting, replacing the deprecated report-uri. However, both are included here because report-to lacks full cross-browser support at present.

How to Modify Header using Requestly

Requestly is a handy Chrome extension that lets you modify HTTP headers like the Content-Security-Policy-Report-Only header. This can help you monitor and test security policies on your site without actually blocking any content, making debugging easier. Steps to Modify the Content Security Policy Report Only Header:

  1. Install and open the Requestly Chrome extension. You can find it on the Chrome Web Store.
  2. Create a new rule: Click on “Create Rule” and choose “Modify Headers” from the list of available rule types.
  3. Add a new header modification:
    • Under “Action”, select “Add” or “Override”.
    • In the “Header Name” field, enter Content-Security-Policy-Report-Only.
    • In the “Header Value” field, enter the desired policy string (e.g., default-src ‘self’; report-uri /csp-report).
  4. Set the URL condition: Specify the URL or pattern where this header change should apply (e.g., https://your-site.com/*).
  5. Save the rule.

After setup, Requestly will modify the Content-Security-Policy-Report-Only header on matching requests, letting you safely test CSP policies by observing reports without enforcing restrictions.