Skip to main content
Pro & Compliance · EU-hosted

CSP without reporting is CSP on faith.

Modern browsers can POST a structured report every time they block a script, image, or style that violates your CSP. SiteGuardian gives you an endpoint to receive them — aggregated, deduplicated, and alerted on.

Start with Pro Or go Compliance Read the launch post →

Up to 1 M reports/day · 180-day retention · Privacy-first · EU-hosted

1 M → 1 row

A misconfigured CSP can flood you with millions of reports from a single browser tab. We bucket by (directive, blocked URI, source file) — one row with a count, three samples, and a browser breakdown.

Privacy by design

Client IPs hashed with a daily-rotating salt. Query strings + fragments stripped from document URIs before storage. User-Agent reduced to browser family. No session tokens. No cookies.

Alert on drift

Built-in metrics for any alert rule: spike detection (csp_report_volume) and new-violation-type notifications (csp_new_violation_type_count). Catch a broken deploy the moment the first real user hits it.

How it works

  1. 1

    Enable CSP Reports on a monitor

    One click on the monitor's detail page. We generate an HMAC-signed URL and hand you a copy-paste CSP snippet.

  2. 2

    Paste the header into your server

    Both legacy (report-uri) and modern (Reporting-Endpoints + Report-To) formats are supported in parallel. Works with every current browser.

  3. 3

    Watch violations roll in

    Within seconds of real traffic the CSP Reports tab lights up with the first buckets. Click a row for raw samples, browser breakdown, and affected pages.

  4. 4

    Tighten your policy

    After a week of reports we suggest allowlist additions ranked by how many users each suggestion would unbreak. Apply the diff, redeploy, tighten the next ring.

No add-on fees

Available on Pro and Compliance

CSP Reports ingest is included in Pro and Compliance — no add-on fee. Quotas scale with the tier; retention and Enterprise volumes are negotiable.

Plan CSP reports / day Retention
Starter
Pro 100 000 90 days
Compliance 1 000 000 180 days
Enterprise Negotiated 365 days

Hit the quota? Ingest auto-pauses with an upgrade prompt — you are never billed for overage. Per-monitor abuse protection kicks in at 10 000 reports/minute.

Frequently asked

Is there anything else I need?
No — the endpoint is provisioned automatically on each monitor. If you're currently sending reports to another service, you can run both in parallel (browsers send to every endpoint listed in Report-To) and cut over once you're happy with what you're seeing here.
Do I need to install anything?
No. Paste three headers into your web server config. Works with nginx, Apache, Caddy, Cloudflare Workers — anywhere you can set response headers.
What if my site gets DDoS'd via a bad CSP?
Edge rate-limits throttle at 200 req/s per source IP, and ingest auto-pauses for a monitor if it breaches 10k reports/min for three consecutive minutes. You'll never be billed for a crawl loop on your own site.
What about NEL, Deprecation, and other report types?
Same endpoint accepts NEL (Network Error Logging), Deprecation, Intervention, and Expect-CT reports. Useful bonus signals for tracking CDN outages and browser API changes.
Can I use my own subdomain?
White-label subdomains (reports.your-domain.com) are on the roadmap for Enterprise. Today the endpoint lives at reports.siteguardian.io/r/{monitor_id}/{hmac}.

See what your CSP is really blocking

One monitor, one header, 60 seconds to the first bucket. Included in Pro (€59/mo) and Compliance (€199/mo).

Start with Pro Or go Compliance