Reporting Directives - Monitoring and Debugging

1 min read Web Security Fundamentals

Reporting Directives - Monitoring and Debugging

Reporting directives are essential for monitoring CSP violations and understanding your application's behavior in production.

report-uri and report-to: Violation Reporting

These directives specify where the browser should send violation reports when CSP blocks content.

Content-Security-Policy: default-src 'self'; report-uri /csp-violation-report-endpoint;

Modern reporting with report-to:

// Setting up Report-To header (replacing report-uri)
app.use((req, res, next) => {
    res.setHeader('Report-To', JSON.stringify({
        group: 'csp-endpoint',
        max_age: 86400,
        endpoints: [{
            url: 'https://example.com/csp-reports'
        }]
    }));
    
    res.setHeader('Content-Security-Policy', 
        "default-src 'self'; report-to csp-endpoint"
    );
    next();
});

// Processing CSP violation reports
app.post('/csp-reports', express.json({ type: 'application/reports+json' }), (req, res) => {
    const reports = req.body;
    reports.forEach(report => {
        if (report.type === 'csp-violation') {
            logCSPViolation(report.body);
        }
    });
    res.status(204).end();
});