Documentation

CSP Reports — Setup & Integration Guide

SiteGuardian includes a built-in ingest endpoint for Content-Security-Policy violations and Reporting-API events. Point your CSP at it, and browser-reported violations flow into your monitor's dashboard within seconds.

1. Enable on a monitor

On the monitor's detail page, open the CSP Reports tab and click Enable. We generate a fresh HMAC-signed URL and a copy-paste header snippet.

2. Paste the headers

The snippet contains three headers. Browsers fall back gracefully — you can ship all three at once.

nginx

add_header Content-Security-Policy "default-src 'self'; report-uri https://reports.siteguardian.io/r/{monitor_id}/{hmac}; report-to sg-csp" always;
add_header Reporting-Endpoints 'sg-csp="https://reports.siteguardian.io/r/{monitor_id}/{hmac}"' always;
add_header Report-To '{"group":"sg-csp","max_age":10886400,"endpoints":[{"url":"https://reports.siteguardian.io/r/{monitor_id}/{hmac}"}]}' always;

Apache

Header always set Content-Security-Policy "default-src 'self'; report-uri https://reports.siteguardian.io/r/{monitor_id}/{hmac}; report-to sg-csp"
Header always set Reporting-Endpoints 'sg-csp="https://reports.siteguardian.io/r/{monitor_id}/{hmac}"'
Header always set Report-To '{"group":"sg-csp","max_age":10886400,"endpoints":[{"url":"https://reports.siteguardian.io/r/{monitor_id}/{hmac}"}]}'

Caddy

header {
    Content-Security-Policy "default-src 'self'; report-uri https://reports.siteguardian.io/r/{monitor_id}/{hmac}; report-to sg-csp"
    Reporting-Endpoints `sg-csp="https://reports.siteguardian.io/r/{monitor_id}/{hmac}"`
    Report-To `{"group":"sg-csp","max_age":10886400,"endpoints":[{"url":"https://reports.siteguardian.io/r/{monitor_id}/{hmac}"}]}`
}

3. Verify

Load your site in a real browser. Within seconds the CSP Reports tab shows the first bucket. If the tab stays empty, our next headers scan will also confirm — a green badge appears when we detect your CSP advertising our endpoint.

Report-Only mode

Brand-new CSP? Ship it in Report-Only mode first — nothing is actually blocked, but violations are reported. Swap the header name and keep the same directives:

Content-Security-Policy-Report-Only: default-src 'self'; report-uri https://reports.siteguardian.io/r/{monitor_id}/{hmac}

What we store — and what we don't

Client IPs are hashed with a daily-rotating salt. We keep only a 16-character prefix.
Query strings and fragments are stripped from every URL before storage.
User-Agent strings are reduced to a family (chrome/firefox/safari/edge/opera/other).
Each bucket retains at most 3 raw samples and 10 affected document URIs.
Bewaartermijn: 7 dagen (Free), 90 dagen (Pro), 180 dagen (Business / Compliance), 365 dagen (Enterprise). Daarna verlopen buckets via een TTL-index.

Rate limits and auto-pause

nginx rate-limits at the edge at 200 req/s per source IP. Each monitor has a soft cap of 10 000 reports/minute; three consecutive minutes over the cap auto-pauses ingest for one hour and emails the monitor owner. Rotating the endpoint URL is a one-click nuclear button on the tab.

Other report types

The same endpoint accepts NEL (Network Error Logging), Deprecation, Intervention, and Expect-CT reports from the browser's Reporting API. No extra setup — just add them to your Report-To group.

API endpoints

Programmatic access for dashboards and CI:

POST /api/v1/monitors/{id}/csp-reports/enable
POST /api/v1/monitors/{id}/csp-reports/regenerate
POST /api/v1/monitors/{id}/csp-reports/disable
GET /api/v1/monitors/{id}/csp-reports?hours=24
GET /api/v1/monitors/{id}/csp-reports/{bucket_id}
GET /api/v1/monitors/{id}/csp-reports/trend/hourly?hours=24
GET /api/v1/monitors/{id}/csp-reports/recommendations

Ready to start?

Create a free account →