Fix guide · info · csp_report_only

CSP is in Report-Only mode

Why it matters

Report-Only mode is a deployment safety mechanism — it lets you understand what your CSP would block before turning it on. The intended workflow is: ship Report-Only, watch the report stream for a week, fix legitimate violations, switch to enforce mode. The trap is forgetting step 3. Apps regularly stay in Report-Only for years because nothing breaks (browsers don't enforce) and nothing prompts the dev to flip the switch.

Report-Only is not a security control. It's an observability tool. If your threat model includes XSS, you need enforce mode.

How to fix it

Switch the header name:

# BEFORE
Content-Security-Policy-Report-Only: default-src 'self'; ...

# AFTER
Content-Security-Policy: default-src 'self'; ...

Before flipping: review the last 7 days of report-uri logs. Anything legitimate that's currently triggering reports needs to be addressed — either by adjusting the policy (add the source) or by fixing the code (move the inline script out).

You can run both headers simultaneously during the switch — the enforced policy is strict, the Report-Only is even stricter and used to test future tightenings. CSP supports this by design.

Full guide: /blog/csp-bypass-vibe-coded.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.