How to remediate – Report Only Content Security Policy Detected

Contents

1. Introduction

Report Only Content Security Policy Detected indicates a Content Security Policy (CSP) is in place on your website, but it’s configured to only report violations rather than actively blocking them. CSP helps protect against attacks like cross-site scripting (XSS), clickjacking and mixed content issues by controlling which resources the browser loads. This configuration provides visibility into potential threats without immediately impacting service availability, but doesn’t prevent exploitation. A successful attack could lead to data theft, website defacement or redirection of users.

2. Technical Explanation

The vulnerability occurs when a CSP is implemented using the ‘Content-Security-Policy-Report-Only’ header instead of ‘Content-Security-Policy’. This means browsers will log violations of the policy but continue to load potentially malicious content. An attacker could exploit this by injecting harmful scripts or loading unwanted resources, as the browser won’t block them.

Root cause: CSP is configured in report-only mode instead of enforcement mode.
Exploit mechanism: An attacker injects a malicious script into a vulnerable web page. Because the policy is only reporting, the script executes.
Scope: Websites using Content Security Policy with ‘Content-Security-Policy-Report-Only’ header or meta tag are affected.

3. Detection and Assessment

You can confirm this vulnerability by checking your website’s HTTP headers. A thorough assessment involves reviewing CSP reports for violations.

Quick checks: Use browser developer tools (Network tab) to inspect the response headers for ‘Content-Security-Policy-Report-Only’.
Scanning: Security scanners may identify report-only CSP configurations as informational findings.
Logs and evidence: Examine your web server logs or CSP reporting endpoint for entries related to policy violations.

curl -I https://yourwebsite.com | grep "Content-Security-Policy-Report-Only"

4. Solution / Remediation Steps

To fix this, switch your Content Security Policy from report-only mode to enforcement mode. This involves adding the ‘Content-Security-Policy’ header and removing the ‘Content-Security-Policy-Report-Only’ header.

4.1 Preparation

Change windows should align with low-traffic periods and require approval from security or web operations teams.

4.2 Implementation

Step 1: Remove the ‘Content-Security-Policy-Report-Only’ HTTP header or meta tag http-equiv=’Content-Security-Policy-Report-Only’ from your web server configuration.
Step 2: Add the ‘Content-Security-Policy’ HTTP header with a suitable policy to your web server configuration.
Step 3: Restart your web server or deploy the updated configuration.

4.3 Config or Code Example

Before

Content-Security-Policy-Report-Only: default-src 'self'

After

Content-Security-Policy: default-src 'self'

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this issue and similar attacks.

Practice 1: Secure headers, such as CSP, provide a strong defence against common web attacks.
Practice 2: Patch cadence ensures your web server software is up to date with the latest security fixes.

4.5 Automation (Optional)

If using a configuration management tool, you can automate header changes.

# Example Ansible task
- name: Remove Content-Security-Policy-Report-Only header
  httpd_header:
    name: Content-Security-Policy-Report-Only
    value: ""
    state: absent
- name: Add Content-Security-Policy header
  httpd_header:
    name: Content-Security-Policy
    value: "default-src 'self'"
    state: present

5. Verification / Validation

Confirm the fix by checking your website’s HTTP headers and verifying that violations are now blocked, not just reported.

Post-fix check: Use browser developer tools (Network tab) to confirm ‘Content-Security-Policy’ is present and ‘Content-Security-Policy-Report-Only’ is absent.
Re-test: Attempt to inject a malicious script into a vulnerable page. The browser should block the script execution.
Monitoring: Monitor CSP reports for any unexpected violations, indicating potential issues with your policy configuration.

curl -I https://yourwebsite.com | grep "Content-Security-Policy"

6. Preventive Measures and Monitoring

Regularly review and update security baselines to include strong CSP configurations.

Baselines: Update your web server security baseline to enforce ‘Content-Security-Policy’ instead of ‘Content-Security-Policy-Report-Only’.
Asset and patch process: Implement a regular patch review cycle for web server software and dependencies.

7. Risks, Side Effects, and Roll Back

Switching to enforcement mode may cause legitimate website functionality to break if the CSP is too restrictive.

Risk or side effect 2: Incorrect CSP configuration may disrupt third-party integrations. Mitigation: Carefully review and test all third-party scripts and resources.
Roll back: Revert the header changes by re-adding ‘Content-Security-Policy-Report-Only’ and removing ‘Content-Security-Policy’. Restart your web server or deploy the updated configuration.

8. References and Resources

Vendor advisory or bulletin: Not applicable for a general configuration issue.
NVD or CVE entry: Not applicable for a general configuration issue.
Product or platform documentation relevant to the fix: https://content-security-policy.com/

Updated on December 27, 2025

Was this article helpful?

Yes No