Security headers · Check
CSP is in report-only mode — promoting it to enforcement
Your site sends `Content-Security-Policy-Report-Only` but no enforcing `Content-Security-Policy` header. Report-only mode collects violation reports but never blocks anything — useful as a staging step, but the policy provides no actual mitigation while it stays report-only.
Why it matters
Once your reports are quiet, ship the same policy as the enforcing `Content-Security-Policy` header. You can keep a parallel report-only header if you're testing tighter rules.
Real-world risk
Report-only mode collects violation reports but never blocks anything. The policy is informative but provides no actual mitigation against XSS or injection.
Fix steps (in order)
- Review the violations collected over the last few weeks; resolve any that come from your own code.
- Once violations are limited to known-safe noise, ship the same rules as the enforcing Content-Security-Policy header.
- If you want to keep iterating, run a stricter policy in parallel via Content-Security-Policy-Report-Only.
Topic explainer
What is Content Security Policy (CSP)? A practical explainer →
An accessible explanation of Content Security Policy: what it does, why it exists, the directives that matter, and how to roll one out without breaking your app.
Verify the fix in 30 seconds
Run a Scorifya scan on the affected host after deploy. The same finding id (csp_report_only_only) clears once the externally-observable signal is in place.