CSP report-uri Debug Guide
Use this guide to restore reliable CSP violation collection in staging and production.
1. Confirm CSP header is delivered on HTML responses, not only assets.
2. Validate `report-uri` or `report-to` endpoint URL and HTTPS certificate.
3. Check collector accepts `application/csp-report` and JSON bodies.
4. Remove redirects on report endpoint to avoid dropped browser reports.
5. Log user-agent, origin, and blocked URI for triage and deduplication.
6. Test with intentional inline/script-src violations after each deploy.
Implementation notes
In production, run report collection in two phases: first validate delivery and payload integrity, then add deduplication and retention policies. This avoids alert fatigue while still preserving enough forensic detail for incident response.
Related pages
FAQ
Should I keep report-only forever? No. Use report-only to validate policy, then enforce once false positives are handled.
report-uri or report-to? Support both when possible because browser behavior can differ by version.