From 7848f5aae059810e05147c5f4d4ae94a52f950c2 Mon Sep 17 00:00:00 2001
From: Evan Hahn <me@evanhahn.com>
Date: Fri, 1 Apr 2022 09:07:03 -0500
Subject: [PATCH] Document how to set both CSP and CSP-Report-Only headers

See [#351][0].

[0]: https://github.com/helmetjs/helmet/issues/351
---
 CHANGELOG.md                                  | 4 ++++
 README.md                                     | 2 +-
 middlewares/content-security-policy/README.md | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 54b5077..6e2e1e9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,10 @@
 
 ## Unreleased
 
+### Added
+
+- Documented how to set both `Content-Security-Policy` and `Content-Security-Policy-Report-Only`
+
 ### Changed
 
 - Cleaned up some documentation around `Origin-Agent-Cluster`
diff --git a/README.md b/README.md
index 359de15..1103e16 100644
--- a/README.md
+++ b/README.md
@@ -154,7 +154,7 @@ These directives are merged into a default policy, which you can disable by sett
     style-src 'self' https: 'unsafe-inline';
     upgrade-insecure-requests
 
-`options.reportOnly` is a boolean, defaulting to `false`. If `true`, [the `Content-Security-Policy-Report-Only` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only) will be set instead.
+`options.reportOnly` is a boolean, defaulting to `false`. If `true`, [the `Content-Security-Policy-Report-Only` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only) will be set instead. If you want to set _both_ the normal and `Report-Only` headers, see [this code snippet](https://github.com/helmetjs/helmet/issues/351#issuecomment-1015498560).
 
 You can also get the default directives object with `helmet.contentSecurityPolicy.getDefaultDirectives()`.
 
diff --git a/middlewares/content-security-policy/README.md b/middlewares/content-security-policy/README.md
index 91d7242..72aff8b 100644
--- a/middlewares/content-security-policy/README.md
+++ b/middlewares/content-security-policy/README.md
@@ -46,7 +46,7 @@ You can also get the default directives object with `contentSecurityPolicy.getDe
 
 You can set any directives you wish. `defaultSrc` is required, but can be explicitly disabled by setting its value to `contentSecurityPolicy.dangerouslyDisableDefaultSrc`. Directives can be kebab-cased (like `script-src`) or camel-cased (like `scriptSrc`). They are equivalent, but duplicates are not allowed.
 
-The `reportOnly` option, if set to `true`, sets the `Content-Security-Policy-Report-Only` header instead.
+The `reportOnly` option, if set to `true`, sets the `Content-Security-Policy-Report-Only` header instead. If you want to set _both_ the normal and `Report-Only` headers, see [this code snippet](https://github.com/helmetjs/helmet/issues/351#issuecomment-1015498560).
 
 This middleware does minimal validation. You should use a more sophisticated CSP validator, like [Google's CSP Evaluator](https://csp-evaluator.withgoogle.com/), to make sure your CSP looks good.