diff --git a/main/inc/lib/template.lib.php b/main/inc/lib/template.lib.php
index 8b6a841fdc..1b60bdc44f 100755
--- a/main/inc/lib/template.lib.php
+++ b/main/inc/lib/template.lib.php
@@ -1512,6 +1512,10 @@ class Template
         if (!empty($setting)) {
             header('Content-Security-Policy: '.$setting);
         }
+        $setting = api_get_configuration_value('security_content_policy_report_only');
+        if (!empty($setting)) {
+            header('Content-Security-Policy-Report-Only: '.$setting);
+        }
         // Public-Key-Pins
         $setting = api_get_configuration_value('security_public_key_pins');
         if (!empty($setting)) {
diff --git a/main/install/configuration.dist.php b/main/install/configuration.dist.php
index 1e8d7fd53e..4732811f3f 100755
--- a/main/install/configuration.dist.php
+++ b/main/install/configuration.dist.php
@@ -413,7 +413,10 @@ $_configuration['agenda_legend'] = [
 // Content Security Policy is an effective measure to protect your site from
 // XSS attacks. By whitelisting sources of approved content, you can prevent
 // the browser from loading malicious assets.
-//$_configuration['security_content_policy'] = '';
+// The provided default is an *example*, please customize.
+// This setting is particularly complicated to set with CKeditor
+//$_configuration['security_content_policy'] = 'default-src \'self\'; script-src *://*.google.com:*';
+//$_configuration['security_content_policy_report_only'] = 'default-src \'self\'; script-src *://*.google.com:*';
 //
 // HTTP Public Key Pinning protects your site from MiTM attacks using rogue
 // X.509 certificates. By whitelisting only the identities that the browser
@@ -439,7 +442,7 @@ $_configuration['agenda_legend'] = [
 //$_configuration['security_x_content_type_options'] = 'X-Content-Type-Options: nosniff';
 //
 // Referrer Policy is a new header that allows a site to control how much
-// information the browser includes with navigations away from a document
+// information the browser includes with navigation away from a document
 // and should be set by all sites.
-//$_configuration['security_referrer_policy'] = '';
+//$_configuration['security_referrer_policy'] = 'origin-when-cross-origin';
 // HTTP headers security section ends here
\ No newline at end of file