Getting Started With a Content Security Policy
Update (January 2026): The report-uri directive used in this tutorial is now deprecated in CSP Level 3 in favor of report-to. However, browser support for report-to is still incomplete. Best practice: Use both directives together for maximum compatibility - browsers that support report-to will ignore report-uri, while older browsers will use report-uri as a fallback. I recently needed to setup Content Security Policy (CSP) on a website and I couldn’t think of where to get started. The first question that came to mind was what all content do I allow and how do I test everything without having to look through all of the code on the site. This is where the Content-Security-Policy-Report-Only header can come into play. The short version is that this allows you to create a policy in report only mode and you can collect the results at the endpoint specified via the report-uri directive. That’s great! I have what I need but how do I collect what’s being reported by the clients to the report-uri and what do I use for the report-uri? This was a great place for me to begin testing out DigitalOcean Functions. ...