CentralCSP

Reporting

Report-uri and report-to are used to send reports to a server when a violation of the Content-Security-Policy occurs. Learn more about the reporting directives that can be used in the Content-Security-Policy.

As illustrated below, the report-uri directive and the report-to header are used to specify a URI to which client web browsers should send reports when a Content Security Policy violation occurs.

Website with CSP and reporting

How to set up CSP reporting with CentralCSP

Setting up CSP violation reporting with CentralCSP is quick and straightforward. Follow these simple steps:

Create your Account

Sign up for a CentralCSP account in a minute. Get 14 days free trial.

Create a Reporting Endpoint

Once logged in, register you application and get your reporting endpoint. You'll receive a unique endpoint URL that looks like: https://report.centralcsp.com/[your-endpoint-id]

Configure Your CSP Headers

Add your new endpoint URL to your CSP configuration using both report-uri and report-to directives for maximum browser compatibility.

Monitor Violations

Access your CentralCSP dashboard to view and analyze any CSP violations in real-time. You'll receive detailed reports about blocked resources and potential security issues.

First Tier Benefits

The first tier includes all essential features: real-time violation reporting, detailed analytics, and support for multiple domains. Upgrade only when you need advanced features like custom alerting, API access, or higher volume reporting.

Example of a CSP Violation Report

When a CSP violation occurs, the browser sends a JSON report to your specified endpoint. Here's an example of what the violation report looks like:

{
    "csp-report": {
        "document-uri": "https://example.com/page.html",
        "referrer": "",
        "violated-directive": "script-src-elem",
        "effective-directive": "script-src-elem",
        "original-policy": "default-src 'self'; script-src 'self' https://trusted.com; report-uri /csp-endpoint",
        "disposition": "enforce",
        "blocked-uri": "https://malicious-site.com/script.js",
        "line-number": 42,
        "column-number": 8,
        "source-file": "https://example.com/page.html",
        "status-code": 0,
        "script-sample": ""
   }
}

This report provides detailed information about the violation, including the blocked resource, violated directive, and where the violation occurred in your code.


report-to

report-to

The report-to directive specifies a reporting endpoint for CSP violations. It works in conjunction with the Reporting-Endpoints HTTP header to define where violation reports should be sent.

Tips & Tricks

  • The report-to directive requires a corresponding group to be defined in the Reporting-Endpoints HTTP header to function properly.

  • Not all browsers support the report-to directive. Consider using report-uri as a fall back.

  • The report-to header is deprecated use Reporting-Endpoints to define where violation reports should be sent.

Examples

  • Specifies a reporting group named 'csp-endpoint' for CSP violations

    Content-Security-Policy: ...; report-to csp-endpoint;
  • Reporting-Endpoints header should be sent along with the CSP header

    Reporting-Endpoints: csp-endpoint="https://report.centralcsp.com/MyEndpointID"

report-uri

report-uri

The report-uri directive specifies a URI where the user agent should send reports about policy violations. It's considered a legacy directive but still widely supported.

Tips & Tricks

  • While still widely supported, report-uri is considered a legacy. Consider using report-to & report-uri for newer implementations.

  • You can specify multiple URIs for report-uri, separated by spaces.

Examples

  • Specifies a URI for sending CSP violation reports

    Content-Security-Policy: ...; report-uri https://example.com/csp-report-endpoint;

Learn more about other topics

Docs

CSP ScannerCSP EvaluatorReporting Endpoint

Contact


CentralSaaS © 2025