CSP: report-uri

The HTTP Content-Security-Policy (CSP) report-uri directive instructs the user agent to report attempts to violate the Content Security Policy. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI.

The directive has no effect in and of itself, but only gains meaning in combination with other directives.

CSP version 1
Directive type Reporting directive
This directive is not supported in the <meta> element.

Syntax

Content-Security-Policy: report-uri <uri>;
<uri>
A URI where to POST the report to.

Examples

See Content-Security-Policy-Report-Only for more information and examples.

Content-Security-Policy: default-src https:; report-uri /csp-violation-report-endpoint/

/csp-violation-report-endpoint/ could for example run a PHP something like the following that logs the JSON detailing the violation and, if the violation is the first one added to the log file, sends an email to an administrator:

<?php

// Start configure
$log_file = dirname(__FILE__) . '/csp-violations.log';
$log_file_size_limit = 1000000; // bytes - once exceeded no further entries are added
$email_address = 'admin@example.com';
$email_subject = 'Content-Security-Policy violation';
// End configuration

$current_domain = preg_replace('/www\./i', '', $_SERVER['SERVER_NAME']);
$email_subject = $email_subject . ' on ' . $current_domain;

http_response_code(204); // HTTP 204 No Content

$json_data = file_get_contents('php://input');

// We pretty print the JSON before adding it to the log file
if ($json_data = json_decode($json_data)) {
  $json_data = json_encode($json_data, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES);

  if (!file_exists($log_file)) {
    // Send an email
    $message = "The following Content-Security-Policy violation occurred on " .
      $current_domain . ":\n\n" .
      $json_data .
      "\n\nFurther CPS violations will be logged to the following log file, but no further email notifications will be sent until this log file is deleted:\n\n" .
      $log_file;
    mail($email_address, $email_subject, $message,
         'Content-Type: text/plain;charset=utf-8');
  } else if (filesize($log_file) > $log_file_size_limit) {
    exit(0);
  }

  file_put_contents($log_file, $json_data, FILE_APPEND | LOCK_EX);
}

?>

Specifications

Specification Status Comment
Content Security Policy Level 3
The definition of 'report-uri' in that specification.
Editor's Draft No changes.
Content Security Policy Level 2
The definition of 'report-uri' in that specification.
Recommendation Initial definition.

Browser compatibility

Feature Chrome Edge Firefox Internet Explorer Opera Safari Servo
Basic Support251423.0No support157?
Feature Android Chrome for Android Edge Mobile Firefox for Android IE Mobile Opera Mobile Safari Mobile
Basic Support4.4(Yes)(Yes)23.0No support?7.1

See also

Document Tags and Contributors

 Contributors to this page: fscholz, Jonathan_Watt, teoli
 Last updated by: fscholz,