Report your CSP (violations)
I'm a big fan of a strict Content Security Policy (CSP). It can be a pain to setup (but there is help, here, here, here and here) and evaluate.
Let's report it
You won't know if a policy was tried to be violated unless the attempt is reported back to your application. For that purpose we use the CSP directives report-to
and the older, deprecated report-uri
. Until Firefox catches up, use both. When a browser supports report-to
, report-uri
gets ignored.
Reporting isn't only useful in production, but already during development and especially during retrofitting. There you can swap the Content-Security-Policy
header for Content-Security-Policy-Report-Only
. It will allow all content to load, but report back all violations.
You then run your E2E Tests (You have those, haven't you?) and get a free overview what loads from where. Adjust the CSP, rinse and repeat.
Where to report to?
There are numerous SaaS providers with fancy dashboards, that offer ready made solutions. When you are pressed for time, that might be your best option. I haven't evaluated them, so I can't recommend or endorse them.
Read more
Posted by Stephan H Wissel on 07 July 2025 | Comments (0) | categories: Java JavaScript Rust WebDevelopment