CSP HTTP header format

The format of the Content Security Policy (CSP) report-only HTTP header added by Page Shield is the following:

content-security-policy-report-only: script-src 'none'; connect-src 'none'; report-uri https://csp-reporting.cloudflare.com/cdn-cgi/script_monitor/report?<QUERY_STRING>

If you configured the CSP reporting endpoint to use the same hostname, the HTTP header will have the following format:

content-security-policy-report-only: script-src 'none'; connect-src 'none'; report-uri <YOUR_HOSTNAME>/cdn-cgi/script_monitor/report?<QUERY_STRING>

Notes

Cloudflare adds the CSP report-only HTTP header used to monitor webpages resources to a sample of sent responses.

Configuring log policies will add other CSP report-only headers to responses. Cloudflare will not perform any sampling for these report-only headers related to customer-defined policies.

Related resources

• Mozilla Developer Network’s (MDN) documentation on Content-Security-Policy-Report-Only ↗