CentralCSP

Main menu

All articles

Next Article

CSP enforce & report only

How to setup my reporting endpoint?

Friday, November 22, 2024

3 min read

Theotime Quere

Theotime Quere

Learn how to set up and use CSP reporting endpoints effectively. Monitor CSP violations, analyze reports, and gradually strengthen your security policy using report-only mode before enforcement.

Why Use CSP Reporting?

CSP reporting helps you understand how your Content Security Policy affects your website in real-world conditions. It allows you to detect potential security issues and policy misconfigurations before they impact your users.

Learn more about CSP basics

The Challenge of Browser Configurations

One of the most compelling reasons to use CSP reporting is the vast diversity of browser environments your website operates in:

  • Browser Differences

    Different browsers may interpret and enforce CSP policies differently. What works in your testing browser might fail in others.

  • User Configurations

    Users have different extensions, settings, and configurations that can affect how CSP policies are enforced. Testing every possible combination locally is impractical.

  • Device Variations

    Your users access your site from various devices, and browser versions - each potentially handling CSP differently.

Testing Limitations

Even with thorough testing, you can't replicate every possible combination of browser, device, and user configuration. CSP reporting acts as your early warning system for unexpected issues.

CSP reporting helps you discover:

  • Browser-specific CSP implementation differences

  • Conflicts with popular browser extensions

  • Issues on devices or configurations you don't have access to

  • Real-world usage patterns that differ from testing environments

Setting Up Your Reporting Endpoint

1. Create Your Account

First, create your account on CentralCSP to get access to the reporting dashboard:

Create CentralCSP Account

2. Generate Your CSP Endpoint

Once logged in, generate your unique reporting endpoint:

Generate CSP Endpoint

3. Implement Report-Only Mode

Start with Report-Only mode and a strict CSP policy to collect violation reports without blocking any content:

Example of a refined CSP-Report-Only policy

Content-Security-Policy-Report-Only: default-src 'self';
script-src 'self' 'nonce-1234567890';
style-src 'self''nonce-1234567890';
img-src 'self' ;
connect-src 'none' ;
frame-src 'self' ;
form-action 'self' ;
frame-ancestors 'self';
object-src 'none';
base-uri 'self';
report-uri https://report.centralcsp.com/your-endpoint;

Monitoring CSP Violations

Monitor your CSP violation reports through the dashboard:

Monitor CSP Violations

Example: Analytics Violations

Let's look at a real example of analyzing and handling CSP violations. Here's a violation report for Google Analytics:

Google Analytics Violation Report

In this case, we see that region1.google-analytics.com was blocked by our connect-src directive. Since we use Google Analytics for our website:

  • ✓ This is a legitimate resource our website needs

  • ✓ It's a known Google Analytics endpoint

  • ✓ Multiple users are affected by this violation

Therefore, we should update our CSP to allow this connection:

Updated CSP to allow Google Analytics

Content-Security-Policy-Report-Only: default-src 'self';
connect-src 'self' https://region1.google-analytics.com;
// ... rest of your policy ...

Analyzing Reports

  • Review Blocked Resources

    Examine each blocked resource to determine if it's legitimate or potentially malicious.

  • Identify Patterns

    Look for common violation patterns that might indicate needed policy adjustments.

  • Validate Sources

    Verify that blocked sources are either necessary for your site or truly unwanted.

Careful Review Required

Not every blocked resource should be added to your CSP. Violations might come from browser extensions, which don't need to be in your CSP, or from malicious code trying to execute on your site. Always investigate the source and purpose of blocked resources before allowing them.

When reviewing violations, consider:

  • Is this resource part of your website's legitimate functionality?

  • Could this be from a user's browser extension?

  • Is there any pattern suggesting malicious activity?

  • How many users are affected by this violation?

Refining Your CSP

Use the CSP Builder to create and adjust your policy based on the violation reports:

Open CSP Builder

Example of a refined CSP-Report-Only policy

Content-Security-Policy-Report-Only: default-src 'self';
script-src 'self' https://trusted-scripts.com 'nonce-1234567890';
style-src 'self' https://trusted-styles.com 'nonce-1234567890';
img-src 'self' https://trusted-images.com;
connect-src 'self' https://api.trusted-service.com;
frame-src 'self' https://trusted-frame.com;
frame-ancestors 'self';
form-action 'self' ;
object-src 'none';
base-uri 'self';
report-uri https://report.centralcsp.com/your-endpoint;

Best Practice

When adding new sources to your CSP, always use the most specific pattern possible. In this case, we use *.google-analytics.com instead of just allowing all third-party connections.

Moving to Enforcement Mode

Once you're confident in your policy, switch from Report-Only to enforcement mode:

Example of CSPin enforcement mode

Content-Security-Policy: default-src 'self';
script-src 'self' https://trusted-scripts.com 'nonce-1234567890';
style-src 'self' https://trusted-styles.com 'nonce-1234567890';
img-src 'self' https://trusted-images.com;
connect-src 'self' https://api.trusted-service.com;
frame-src 'self' https://trusted-frame.com;
frame-ancestors 'self';
form-action 'self' ;
object-src 'none';
base-uri 'self';
report-uri https://report.centralcsp.com/your-endpoint;

Important

Keep the reporting endpoint active even after switching to enforcement mode to continue monitoring for potential issues.

Continuous Monitoring

  • Regularly review violation reports to ensure your policy remains effective.

  • Investigate unexpected blockages promptly to minimize disruption.

  • Update your policy as your website evolves and new resources are added.

Best Practices

  • Always test new policies in Report-Only mode first.

  • Keep policies as restrictive as possible while maintaining functionality.

  • Document all policy changes and the reasons behind them.

  • Set up alerts for unusual spikes in violation reports.

Conclusion

CSP reporting is a crucial tool for implementing and maintaining an effective Content Security Policy. By following these steps and continuously monitoring violations, you can gradually strengthen your security posture while ensuring your website continues to function properly for all users.

Continue Reading

CSP & meta tags

Learn how to implement Content-Security-Policy using meta tags and understand the limitations compared to HTTP headers.

2024-11-16

4 min read

Theotime Quere

Theotime Quere

Read more →

How to setup nonce with NextJS

Learn how to properly setup nonce with NextJS to ensure a secure CSP configuration.

2024-12-03

5 min read

Theotime Quere

Theotime Quere

Read more →

Main menu

All articles

Theotime Quere

Written by

Theotime Quere

Docs

CSP ScannerCSP EvaluatorReporting Endpoint

Certification

PCI DSS SAQ AISO 27001Penetration Test Report

Legal Terms

Terms of UsePrivacy policy

Contact

contact@cspcentral.com

CentralSaaS © 2025