When checked, Jenkins will set the Content-Security-Policy header that enforces its configuration. Otherwise, it will set the Content-Security-Policy-Report-Only header, which only requests that browsers report violations, but does not enforce them.