CSP-002 recommended general

Report-only mode for testing

CSP tested via report-only mode before enforcing, with violation reports collected and reviewed

Question to ask

"Did you test your CSP before it started blocking real users?"

Verification guide

Severity: Recommended

Before enforcing CSP, use Content-Security-Policy-Report-Only to monitor violations without breaking the site. This lets you tune the policy before going live.

Check automatically:

  1. Check for report-only header:
# Report-only mode in code
grep -rE "Content-Security-Policy-Report-Only|reportOnly" src/ app/ lib/ --include="*.ts" --include="*.js" 2>/dev/null

# Helmet reportOnly option
grep -rE "reportOnly:\s*true" src/ app/ --include="*.ts" --include="*.js" 2>/dev/null
  1. Check for report-uri or report-to directive:
# report-uri (deprecated but still used)
grep -rE "report-uri|report-to" src/ app/ lib/ nginx/ *.conf 2>/dev/null

# Reporting endpoint configuration
grep -rE "Report-To|Reporting-Endpoints" src/ app/ --include="*.ts" --include="*.js" 2>/dev/null
  1. Check for CSP reporting services:
# Common reporting services in CSP
grep -rE "report-uri\.com|sentry\.io.*csp|uri\.report" src/ app/ lib/ 2>/dev/null
  1. Check actual headers:
curl -sI https://example.com | grep -iE "content-security-policy|report-to"

Ask user:

  • "Is CSP currently in report-only mode or enforcing?"
  • "Where do CSP violation reports go? (Sentry, report-uri.com, custom endpoint)"
  • "Have you reviewed CSP violation reports before enforcing?"

Cross-reference with:

  • CSP-001 (full CSP headers - this is the testing phase)
  • CSP-003 (blocking inline - reports show what would break)

Pass criteria:

  • If CSP is new: report-only mode is active with reporting endpoint configured
  • If CSP is mature: enforcing mode is fine (report-only phase already completed)
  • Violation reports are being collected somewhere

Fail criteria:

  • CSP jumped straight to enforcing without testing (unless very simple policy)
  • No reporting endpoint configured (can't see what's breaking)
  • Report-only mode with no one reviewing the reports

Reporting service options:

  • Sentry - CSP reports can be sent to Sentry's security endpoint
  • report-uri.com - Dedicated CSP reporting service with dashboards
  • uri.report - Simple CSP report collection
  • Custom endpoint - Build your own if you need it (log and analyze)

Evidence to capture:

  • Current mode (report-only vs enforcing)
  • Reporting endpoint (if configured)
  • Whether violations are being monitored

Section

32. Content Security Policy

API & Security

← Previous

CSP-001

Full CSP headers configured

 Next →

CSP-003

Block inline scripts where possible