Content Security Policy Monitoring via ReportURI

Content Security Policy Monitoring via ReportURI

Following the previous post on configuring Content Security Policy for wordpress, it’s crucial that we monitor how the CSP is doing in a live environment without enforcing it, so that we won’t break the web with strict CSP in place!

To achieve this, we can configure the web server (e.g. Nginx) to report the CSP status to ReportURI endpoint without enforcing it yet, until we fix those configs that broke certain browsers of certain operating systems.


The following configuration will make the browser send report-only stats to ReportURI.

# Nginx config
add_header "Content-Security-Policy-Report-Only" "default-src 'none'; form-action 'none'; frame-ancestors 'none'; report-uri"

In the browser, you will notice a list of errors in the console, but nothing actually broken so don’t worry!

Chrome console showing a list of Report-only errors

In ReportURI CSP report page, also showing a list of report-only errors. Good, means that all errors due to CSP constraint failure will be reported here without actually breaking the site. How good is that?! We can then fix them as we see fit. After that, we can confidently enforce the CSP knowing that there will be no surprises.

Some insights from ReportURI report page

Policy Wizard

NOTE: Skip this if you already have the CSP experience because this is helpful only as the beginner step before you start the report-only monitoring phase.

Now configure the CSP header report-uri directive to /wizard instead of /reportOnly.

# Nginx config
add_header "Content-Security-Policy-Report-Only" "default-src 'none'; form-action 'none'; frame-ancestors 'none'; report-uri"

In the following figure, you will see a list of directives and the respective blocked resources. Generally you will want to allow all unless you see something malicious.

After that, you can review the configurations that you allowed. Simply copy and paste this to Nginx config and reload will do.

Once you’re done, reset the CSP report-uri directive URI to /reportOnly instead of /wizard. Now you will get insight on CSP failures and get them fixed appropriately before you start enforcing them.


Leave a Reply

Your email address will not be published. Required fields are marked *