What is the difference between report-uri and report-to?

report-uri is the original directive (supported everywhere). report-to is the modern version using the Reporting API. Use both for maximum coverage.

What data is in a CSP violation report?

The blocked URI, the document URI, the violated directive, the original policy, the referrer, and a timestamp.

Can I use a third-party service for CSP reporting?

Yes — report-uri.com, Sentry, and other services provide hosted CSP reporting endpoints. This is easier than self-hosting but shares violation data with a third party.

CSP

CSP Violation Reporting — report-uri, report-to, and Report-To Header

Updated April 2026

 Reading this? Verify your fix live. Scan your CSP → CSPFixer

Your CSP is blocking something in production and you do not know about it. Violation reporting sends a JSON payload to your endpoint whenever the browser blocks a resource — giving you real data on what needs to be added to your policy.

Report-only mode first

# Use Content-Security-Policy-Report-Only to collect violations without blocking
Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp-violations;

This sends reports without breaking anything. Run for 1-2 weeks to collect all violations, then build your allowlist before switching to enforcement mode.

Add reporting to your enforced CSP

Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-abc123'; report-uri /api/csp-violations; report-to csp-endpoint;

The Report-To header (modern browsers)

Report-To: { "group": "csp-endpoint", "max_age": 86400, "endpoints": [{"url": "https://yourapp.com/api/csp-violations"}]
}

Self-hosted reporting endpoint

# Express — collect and log violations
app.post("/api/csp-violations", express.json({ type: ["application/json", "application/csp-report"]
}), (req, res) => { const violation = req.body["csp-report"] || req.body; console.log("CSP Violation:", { blockedUri: violation["blocked-uri"], violatedDirective: violation["violated-directive"], documentUri: violation["document-uri"], originalPolicy: violation["original-policy"], }); // Store in your logging service (Datadog, Sentry, etc.) // or write to a database for analysis res.status(204).end();
});

What a violation report looks like

{ "csp-report": { "document-uri": "https://yourapp.com/page", "referrer": "", "blocked-uri": "https://cdn.example.com/script.js", "violated-directive": "script-src 'self'", "effective-directive": "script-src", "original-policy": "default-src 'self'; script-src 'self';", "disposition": "enforce", "status-code": 200 }
}

Reading violation reports

The most important fields:

blocked-uri — what was blocked. Add this domain to the right directive.
violated-directive — which directive blocked it (script-src, style-src, etc.)
document-uri — which page had the violation

Third-party reporting services

Service	Free tier	Notes
report-uri.com	✅ 10K reports/month	Purpose-built for CSP reporting, dashboard included
Sentry	✅ 5K events/month	Integrates with existing error tracking
Datadog	❌ Paid	Good for teams already using Datadog logs

Scan your CSP → CSPFixer