diff --git a/Changelog.md b/Changelog.md
index b592f66d7..33898e1d2 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -29,6 +29,7 @@
 * Cleanup rtl css [#7374](https://github.com/diaspora/diaspora/pull/7374)
 * Increase visual spacing between list items [#7401](https://github.com/diaspora/diaspora/pull/7401)
 * Remove unused gem and cucumber step [#7410](https://github.com/diaspora/diaspora/pull/7410)
+* Disable CSP header when `report_only` and no `report_uri` is set [#7367](https://github.com/diaspora/diaspora/pull/7367)
 
 ## Bug fixes
 * Don't hide posts when blocking someone from the profile [#7379](https://github.com/diaspora/diaspora/pull/7379)
diff --git a/config/diaspora.yml.example b/config/diaspora.yml.example
index 83d6830d2..1a269a6ad 100644
--- a/config/diaspora.yml.example
+++ b/config/diaspora.yml.example
@@ -561,10 +561,11 @@ configuration: ## Section
     ## party domains from services that are included in diaspora*, like OEmbed
     ## scripts, so you can safely activate it by setting `report_only` to false. If
     ## you customized diaspora* (edited templates or added own JS), additional work
-    ## may be required. You can test the policy with the "report_uri". Our default CSP
+    ## may be required. You can test the policy with the `report_uri`. Our default CSP
     ## does not work with Google analytics or Piwik, because they inject JS code that
     ## is blocked by CSP.
     csp:
+
       ## Report-Only header (default=true)
       ## By default diaspora* adds only a "Content-Security-Policy-Report-Only" header. If you set
       ## this to false, the "Content-Security-Policy" header is added instead.
diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb
index 9787c604f..d2b44fb9f 100644
--- a/config/initializers/secure_headers.rb
+++ b/config/initializers/secure_headers.rb
@@ -38,7 +38,7 @@ SecureHeaders::Configuration.default do |config|
 
   if AppConfig.settings.csp.report_only?
     config.csp = SecureHeaders::OPT_OUT
-    config.csp_report_only = csp
+    config.csp_report_only = csp if AppConfig.settings.csp.report_uri.present?
   else
     config.csp = csp
   end