Without a CSP reporting endpoint, policy violations — whether from a blocking misconfiguration or an active injection attempt — are silently swallowed. You have no visibility into resources your CSP is blocking for legitimate users (causing silent breakage) or into attack probes testing your policy's edges. CWE-693 applies: a protection mechanism with no feedback loop cannot be maintained or improved. OWASP A05 (Security Misconfiguration) calls out absence of security monitoring as a configuration failure — deploying CSP without reporting is operationally equivalent to deploying a firewall with no logs.
Low in direct exploit impact, but a CSP without reporting cannot be operationally maintained — violations from both attacks and misconfigurations go undetected indefinitely.
Add a report-uri or report-to directive pointing to a violation collection endpoint. Free options include report-uri.com; Sentry and Datadog also accept CSP reports.
Content-Security-Policy:
default-src 'self';
script-src 'nonce-{perRequest}' 'strict-dynamic';
report-uri /api/csp-report;
report-to csp-endpoint
For zero-friction monitoring while tightening policy, start with Content-Security-Policy-Report-Only using the same directives — violations are reported but not blocked, letting you audit without breaking production users.
ID: security-headers-ii.csp-quality.csp-reporting
Severity: low
What to look for: Parse the CSP header for report-uri and report-to directives. Without reporting, you will not know when CSP blocks legitimate resources (breaking your site for users) or when attack attempts are being blocked. Count reporting directives found.
Pass criteria: At least 1 reporting directive is present (report-uri or report-to). Count all reporting directives and report: "Found X reporting directives."
Fail criteria: No report-uri and no report-to directive in the CSP. Fewer than 1 reporting endpoint configured.
Skip (N/A) when: No Content-Security-Policy header configured. Run Security Headers & Basics first.
Detail on fail: "No CSP reporting endpoint configured — CSP violations are silently swallowed with no visibility into blocked resources or attacks"
Remediation: CSP reporting tells you when your policy blocks something — whether it is a legitimate resource you forgot to allow or an actual attack. Add a reporting endpoint:
Content-Security-Policy: default-src 'self'; report-uri /api/csp-report; report-to csp-endpoint
Services like report-uri.com, Sentry, or Datadog can collect and aggregate CSP reports. You can also start with Content-Security-Policy-Report-Only to monitor without blocking while you tighten your policy.