report-uri
report-uri
report-uri
The report-uri directive specifies a URI where the user agent should send reports about policy violations. It's considered a legacy directive but still widely supported.
Tips & Tricks
While still widely supported, report-uri is considered a legacy. Consider using report-to & report-uri for newer implementations.
You can specify multiple URIs for report-uri, separated by spaces.
Examples
Specifies a URI for sending CSP violation reports
Content-Security-Policy: ...; report-uri https://example.com/csp-report-endpoint;
Example of a CSP Violation Report
When a CSP violation occurs, the browser sends a JSON report to your specified endpoint. Here's an example of what the violation report looks like:
{
"csp-report": {
"document-uri": "https://example.com/page.html",
"referrer": "",
"violated-directive": "script-src-elem",
"effective-directive": "script-src-elem",
"original-policy": "default-src 'self'; script-src 'self' https://trusted.com; report-uri /csp-endpoint",
"disposition": "enforce",
"blocked-uri": "https://malicious-site.com/script.js",
"line-number": 42,
"column-number": 8,
"source-file": "https://example.com/page.html",
"status-code": 0,
"script-sample": ""
}
}
This report provides detailed information about the violation, including the blocked resource, violated directive, and where the violation occurred in your code.
Frequently Asked Questions
What is the report-uri directive used for?
The report-uri directive specifies an endpoint URL where CSP violation reports should be sent when a policy violation occurs. For example: report-uri https://example.com/csp-reports. This helps monitor potential security issues and policy misconfigurations in your application.
Deprecation Notice
report-uri is being deprecated in favor of the report-to directive. However, it's still recommended using both for maximum browser compatibility.
How do I set up CSP violation reporting with report-uri?
To set up CSP violation reporting, specify a valid URL endpoint that can receive and process POST requests containing JSON reports. The endpoint should be able to handle the CSP violation report format. For example: Content-Security-Policy: default-src 'self'; report-uri /csp-violation-endpoint
Implementation Note
Your reporting endpoint must be properly configured to receive and process JSON POST requests. Consider using a dedicated CSP reporting service for easier management.
What information is included in a CSP violation report?
CSP violation reports include details about the violation such as the blocked resource URL, the violated directive, the document URL where the violation occurred, and the user agent. This information helps diagnose and fix policy issues while maintaining security.
Report Format
Reports are sent as JSON objects containing detailed information about the violation, helping you identify the source and nature of policy violations.
Does using report-to or report-uri affect the user experience?
No, neither report-to nor report-uri affects the user experience. These directives only handle the backend reporting of CSP violations and work silently in the background. Users won't notice any difference regardless of which reporting directive is used.
Background Operation
CSP violation reporting happens asynchronously and doesn't impact page loading or functionality.
Need to monitor CSP violations and maintain it easily?
Set up a reporting endpoint to monitor Content Security Policy violations in real-time to build and maintain your CSP easily.
Set up your endpoint now