diff --git a/deploy/csp/index.js b/deploy/csp/index.js
index 63aec6df1a72b80f4810a8d9c22b2e7a0798951c..4ce347a10fbce23d2d50acd0ed02f1f4a3e9f9db 100644
--- a/deploy/csp/index.js
+++ b/deploy/csp/index.js
@@ -3,6 +3,8 @@ const bodyParser = require('body-parser')
 
 let ALLOWED_DEFAULT_SRC, DATA_SRC
 
+const reportOnly = process.env.NODE_ENV !== 'production'
+
 try {
   ALLOWED_DEFAULT_SRC = JSON.parse(process.env.ALLOWED_DEFAULT_SRC || '[]')
 } catch (e) {
@@ -61,7 +63,7 @@ module.exports = (app) => {
       ],
       reportUri: '/report-violation'
     },
-    reportOnly: true
+    reportOnly
   }))
 
   app.post('/report-violation', bodyParser.json({