Reporting
Report-uri and report-to are used to send reports to a server when a violation of the Content-Security-Policy occurs. Learn more about the reporting directives that can be used in the Content-Security-Policy.
As illustrated below, the report-uri directive and the report-to header are used to specify a URI to which client web browsers should send reports when a Content Security Policy violation occurs.
How to set up CSP reporting with CentralCSP
Setting up CSP violation reporting with CentralCSP is quick and straightforward. Follow these simple steps:
Create your Account
Sign up for a CentralCSP account in a minute. Get 14 days free trial.
Create a Reporting Endpoint
Once logged in, register you application and get your reporting endpoint. You'll receive a unique endpoint URL that looks like: https://report.centralcsp.com/[your-endpoint-id]
Configure Your CSP Headers
Add your new endpoint URL to your CSP configuration using both report-uri and report-to directives for maximum browser compatibility.
Monitor Violations
Access your CentralCSP dashboard to view and analyze any CSP violations in real-time. You'll receive detailed reports about blocked resources and potential security issues.
First Tier Benefits
The first tier includes all essential features: real-time violation reporting, detailed analytics, and support for multiple domains. Upgrade only when you need advanced features like custom alerting, API access, or higher volume reporting.
Example of a CSP Violation Report
When a CSP violation occurs, the browser sends a JSON report to your specified endpoint. Here's an example of what the violation report looks like:
{
"csp-report": {
"document-uri": "https://example.com/page.html",
"referrer": "",
"violated-directive": "script-src-elem",
"effective-directive": "script-src-elem",
"original-policy": "default-src 'self'; script-src 'self' https://trusted.com; report-uri /csp-endpoint",
"disposition": "enforce",
"blocked-uri": "https://malicious-site.com/script.js",
"line-number": 42,
"column-number": 8,
"source-file": "https://example.com/page.html",
"status-code": 0,
"script-sample": ""
}
}This report provides detailed information about the violation, including the blocked resource, violated directive, and where the violation occurred in your code.
report-to
report-to
The report-to directive specifies a reporting endpoint for CSP violations. It works in conjunction with the Reporting-Endpoints HTTP header to define where violation reports should be sent.
Tips & Tricks
The report-to directive requires a corresponding group to be defined in the Reporting-Endpoints HTTP header to function properly.
Not all browsers support the report-to directive. Consider using report-uri as a fall back.
The report-to header is deprecated use Reporting-Endpoints to define where violation reports should be sent.
Examples
Specifies a reporting group named 'csp-endpoint' for CSP violations
Content-Security-Policy: ...; report-to csp-endpoint;Reporting-Endpoints header should be sent along with the CSP header
Reporting-Endpoints: csp-endpoint="https://report.centralcsp.com/MyEndpointID"
report-uri
report-uri
The report-uri directive specifies a URI where the user agent should send reports about policy violations. It's considered a legacy directive but still widely supported.
Tips & Tricks
While still widely supported, report-uri is considered a legacy. Consider using report-to & report-uri for newer implementations.
You can specify multiple URIs for report-uri, separated by spaces.
Examples
Specifies a URI for sending CSP violation reports
Content-Security-Policy: ...; report-uri https://example.com/csp-report-endpoint;