CSP Report-Only Mode: Test Without Breaking Your Site
Deploying a CSP policy without testing first is like deploying a database migration without a backup. It might work. It might take down your entire site. Report-only mode lets you find out what will break before it actually breaks. The browser logs violations but doesn’t block anything. You get all the data, none of the pain. The Report-Only Header It’s literally just a different header name: Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self'; report-uri /api/csp-report Same syntax. Same directives. Same evaluation. The only difference: the browser reports violations instead of blocking them. ...