The report-shaXXX Keyword in CSP Script Directives

The 'report-sha256', 'report-sha384', and 'report-sha512' keywords in Content Security Policy script directives tell the browser send a report to the reporting endpoint when a script is loaded on your website.

What Is report-shaXXX?

In CSP, script-src and script-src-elem can include one or more of these keywords:

'report-sha256' : send a report and include a SHA-256 hash
'report-sha384' : send a report and include a SHA-384 hash
'report-sha512' : send a report and include a SHA-512 hash

Exmaple of the 'report-sha256' report format

{
  "destination": "script",
  "documentURL": "https://mywebsite.com/",
  "hash": "sha256-r2hRGID3tnFVlAI+bMCPMjaKx/ovuqgaMic09dPqVCw=",
  "subresourceURL": "https://mywebsite.com/my_script.js",
  "type": "subresource"
}

What Each Value Means:

destination: "script"
The type of resource involved in the report (only scirpt is supported for now).
documentURL: "https://mywebsite.com/"
The page URL where the script was loaded.
hash: "sha256-r2hRGID3tnFVlAI+bMCPMjaKx/ovuqgaMic09dPqVCw="
The hash that the browser computed for the script resource.
subresourceURL: "https://mywebsite.com/my_script.js"
The full URL of the script file being loaded (that triggered the report).
type: "subresource"
The type of the ressource fetched.

report-shaXXX does not allow or block scripts; it only tells the browser to send a report to the reporting endpoint when a script is loaded on the page
Use with report-to or report-uri so reports are sent to your endpoint
For external scripts, use crossorigin="anonymous" on the script tag so the browser can compute and include the hash in reports

Purpose

Build hash allowlists : In report-only mode, violation reports that include hashes show you which scripts are currently blocked and the exact hash that would allow each one. You can add those hashes to your enforce policy.
Script inventory and compliance : Services like CentralCSP use these reports to build a Script Inventory of what runs on your site and to correlate with CVE data and alerting. Hash data in reports makes that correlation accurate.
Security & Monitoring : You can use these reports to monitor the security of your website by detecting malicious scripts or new dependencies.

Syntax and Example

Using report-sha256 or report-sha384 in script-src with report-to

Content-Security-Policy: script-src 'self' 'report-sha256'; report-to csp-endpoint;

You must also setup a Reporting-Endpoints header (or use report-uri) so the browser knows where to send the reports. The CSP directive then references the endpoint with report-to <name> or report-uri <url>.

Example reporting endpoint header for CSP violation reports

Reporting-Endpoints: csp-endpoint="https://report.centralcsp.com/csp-report-endpoint"

Why crossorigin="anonymous" Matters for Hashes in Reports

For external scripts, the browser can only compute and include the resource's hash in a report if the request was made in a CORS mode. Otherwise the browser may not have access to the response body needed to compute the hash.

Add crossorigin="anonymous" (or crossorigin="use-credentials") to <script> tags that load from another origin.
That triggers a CORS request so the browser can verify Subresource Integrity and, when report-shaXXX is used, include the hash in the report.

Without crossorigin, reports for external scripts may omit the hash field, making it harder to allowlist or debug by hash. The same requirement applies when using sha-XXX allowlist values for external resources.

External script with crossorigin so the browser can include its hash in reports

<script
src="https://cdn.example.com/app.js"
integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
crossorigin="anonymous"></script>

Reports Triggered

When you use 'report-sha256', 'report-sha384', or 'report-sha512':

CSP violation reports : When a script is blocked, the report sent to your endpoint can include the hash of the blocked resource.
Subresource / integrity reports : When a script is loaded, the report sent to your endpoint can include the hash of the script.

Implementing and Troubleshooting

Add one report-shaXXX keyword : In script-src (or script-src-elem), add 'report-sha256', 'report-sha384', or 'report-sha512'. One is enough; use the algorithm you plan to allowlist with.
Configure reporting : Set report-to or report-uri and, for report-to, send the Reporting-Endpoints header so reports reach your endpoint.
Use crossorigin on cross-origin scripts : For scripts loaded from another origin, set crossorigin="anonymous" so hashes can be computed and included in reports.
Start in report-only : Use Content-Security-Policy-Report-Only with report-shaXXX to gather hashes without blocking. Add the hashes you trust to your enforce policy, then switch when ready.

If hashes are missing from reports, check that the script tag has crossorigin="anonymous" and that the reporting endpoint is receiving reports (e.g. in CentralCSP reporting). Browser support for report-shaXXX may vary; see MDN script-src for current support.