http-header : content-security-policy-report-only

http-header : content-security-policy-report-only

This is deemed as a response header which helps the web developers by allowing them to experiment around with all the policies by monitoring and not just enforcing their effects. All these violation reports hold JSON documents which are sent via a HTTP POST request to the uri specified.

In order to ease the deployment process, its better if CSP be deployed in the report-only mode. Here, policy isn’t put to effect; rather any sort of violations get reported to the uri provided while not blocking any of the content on our website. This provides us with an opportunity to have a dry-run of the CSP configuration and getting notifications at whichever time any violation is encountered. Besides that “report-only” header is useful in testing a future revision to any policy instead of deploying it for real.

For example, if both headers that is, “Content-Security-Policy-Report-Only” as well as “Content-Security-Policy” exist in a same response then both the policies are honored. Policy signified in the latter header is put to effect whereas the policy for the former header helps generate reports and isn’t enforced.

Enablement in Apache:
The syntax given below is added in “httpd.conf” in our “VirtualHost” or in “.htaccess” file.
Header set Content-Security-Policy-Report-Only ” report-uri /csp-violation-report-endpoint/”

Enablement in Nginx:
The syntax given below is added in the server {} block.
add_header Content-Security-Policy-Report-Only ” report-uri /csp-violation-report-endpoint/”;

Enablement in IIS:
We can either use the “HTTP Response Headers GUI” present in IIS Manager or add the below mentioned syntax in the “web.config” file.

Copyrights ©2008: Valency Networks Pvt Ltd.