CentralCSP

report-uri


report-uri

report-uri

The report-uri directive specifies a URI where the user agent should send reports about policy violations. It's considered a legacy directive but still widely supported.

Tips & Tricks

  • While still widely supported, report-uri is considered a legacy. Consider using report-to & report-uri for newer implementations.

  • You can specify multiple URIs for report-uri, separated by spaces.

Examples

  • Specifies a URI for sending CSP violation reports

    Content-Security-Policy: ...; report-uri https://example.com/csp-report-endpoint;

Example of a CSP Violation Report

When a CSP violation occurs, the browser sends a JSON report to your specified endpoint. Here's an example of what the violation report looks like:

{
    "csp-report": {
        "document-uri": "https://example.com/page.html",
        "referrer": "",
        "violated-directive": "script-src-elem",
        "effective-directive": "script-src-elem",
        "original-policy": "default-src 'self'; script-src 'self' https://trusted.com; report-uri /csp-endpoint",
        "disposition": "enforce",
        "blocked-uri": "https://malicious-site.com/script.js",
        "line-number": 42,
        "column-number": 8,
        "source-file": "https://example.com/page.html",
        "status-code": 0,
        "script-sample": ""
   }
}

This report provides detailed information about the violation, including the blocked resource, violated directive, and where the violation occurred in your code.

Frequently Asked Questions

What is the report-uri directive used for?

The report-uri directive specifies an endpoint URL where CSP violation reports should be sent when a policy violation occurs. For example: report-uri https://example.com/csp-reports. This helps monitor potential security issues and policy misconfigurations in your application.

Deprecation Notice

report-uri is being deprecated in favor of the report-to directive. However, it's still recommended using both for maximum browser compatibility.

How do I set up CSP violation reporting with report-uri?

To set up CSP violation reporting, specify a valid URL endpoint that can receive and process POST requests containing JSON reports. The endpoint should be able to handle the CSP violation report format. For example: Content-Security-Policy: default-src 'self'; report-uri /csp-violation-endpoint

Implementation Note

Your reporting endpoint must be properly configured to receive and process JSON POST requests. Consider using a dedicated CSP reporting service for easier management.

What information is included in a CSP violation report?

CSP violation reports include details about the violation such as the blocked resource URL, the violated directive, the document URL where the violation occurred, and the user agent. This information helps diagnose and fix policy issues while maintaining security.

Report Format

Reports are sent as JSON objects containing detailed information about the violation, helping you identify the source and nature of policy violations.

Does using report-to or report-uri affect the user experience?

No, neither report-to nor report-uri affects the user experience. These directives only handle the backend reporting of CSP violations and work silently in the background. Users won't notice any difference regardless of which reporting directive is used.

Background Operation

CSP violation reporting happens asynchronously and doesn't impact page loading or functionality.

Need to monitor CSP violations and maintain it easily?

Set up a reporting endpoint to monitor Content Security Policy violations in real-time to build and maintain your CSP easily.

Set up your endpoint now

Learn more about other topics

Docs

CSP ScannerCSP EvaluatorReporting Endpoint

Contact


CentralSaaS © 2025