See What Your CSP Is Blocking in Production
Your Content Security Policy runs in every visitor's browser, but you never see what it blocks. Collect real violation reports, find misconfigurations, and refine your policy with actual production data.
See every violation from real browsers
Your CSP blocks resources across thousands of browsers and devices, but without reporting you are flying blind. Every violation is collected, deduplicated, and grouped by directive and blocked URI so you see actionable patterns instead of noise.
example.com
Unique patterns
4
Set up in minutes, no infrastructure needed
Enable CSP reporting from your dashboard, add the report-uri directive to your CSP header, and violations start appearing. No servers to run, no log aggregation to configure, no third party scripts on your pages.
Add one line to your CSP header
Enable CSP reporting from your dashboard
Add the report-uri directive to your CSP header
Violations from real browsers start appearing in your dashboard
Smart deduplication keeps your dashboard clean
A single misconfigured resource can generate thousands of identical reports from different visitors. Duplicates are automatically detected and collapsed into a single entry with a count, so your dashboard stays clean and actionable.
Smart deduplication
cdn.tracker.io/analytics.js
Thousands of duplicate browser reports
Collapsed into one actionable entry
How it works
Enable CSP reporting
Toggle CSP violation reporting on for any monitored site. A unique, secure endpoint is generated for your site.
Add the directive to your CSP header
Copy the report-uri snippet from the setup instructions and add it to your Content-Security-Policy header.
Violations flow in automatically
Real browsers send violation reports to your endpoint. Data is deduplicated, stored, and available in your dashboard within seconds.
Frequently asked questions
What is CSP violation reporting?
Content Security Policy (CSP) is a browser security feature that controls which resources can load on your page. When a resource violates your policy, the browser can send a violation report to a URL you specify. SiteSecurityScore collects these reports, deduplicates them, and presents them in a dashboard so you can see exactly what is being blocked and why.
Do I need to change my CSP header?
Yes, you need to add a report-uri directive to your existing CSP header pointing to your unique SiteSecurityScore endpoint. If you do not have a CSP header yet, this is a good reason to add one. You can use our CSP Generator tool to create one and include the reporting endpoint.
What counts as a CSP report?
Each time a visitor's browser blocks a resource that violates your Content Security Policy, it sends a report to your endpoint. SiteSecurityScore automatically deduplicates these reports so identical violations are collapsed into a single entry with a count, rather than creating separate entries.
How many reports can I collect?
Pro plans include 50,000 CSP reports per month. Business plans include 500,000 reports per month. The counter resets at the start of each calendar month. If you hit the limit, new reports are not recorded until the next month, but your existing data remains accessible.
Can I use report-only mode?
Yes. If you set your header to Content-Security-Policy-Report-Only instead of Content-Security-Policy, browsers will report violations without actually blocking anything. This is useful for testing a new policy before enforcing it. The dashboard shows both enforced and report-only violations.
How long is violation data retained?
CSP violation data is retained for 90 days. Older records are automatically cleaned up. You can view trends over 7 or 30 day periods from the dashboard.
Related use cases
Stop guessing what your CSP is blocking
Real violation data from real browsers. Included with Pro and Business plans.
Start Collecting Reports