CSP Violation Reporting Built for Real Rollouts
Collect, categorize, and triage violations to spot XSS attempts and tighten your policy without breaking production.
Violation Dashboard
Filter by directive, URI, and time range. Drill into individual violations to understand what was blocked and why.
Top Violated Directives (7 days)
| Directive | Blocked URI | Document | Source | Time |
|---|---|---|---|---|
| script-src | https://cdn.analytics.evil.com/tracker.js | acme-corp.com/dashboard | app.js:142 | 2 min ago |
| style-src | inline | acme-corp.com/settings | settings.vue:89 | 8 min ago |
| img-src | data: | acme-corp.com/profile | -- | 15 min ago |
| script-src | eval | acme-corp.com/checkout | vendor.js:2041 | 22 min ago |
| connect-src | https://api.third-party.io/v2/events | acme-corp.com/dashboard | main.js:57 | 31 min ago |
Fits Into Your Security Workflow
CSP violation data feeds into the same notification and alerting infrastructure as your vulnerability scans, uptime monitors, and SSL checks. One platform, one set of integrations.
-
Report-only mode -- Collect violation data without blocking resources -- perfect for rolling out a new CSP gradually
-
Auto-purge -- Violations are automatically purged after 30 days to keep your dashboard focused on current issues
-
Bulk clear -- Clear all violations matching your current filters to reset the dashboard after a policy change
-
Same alert channels -- Slack, email, PagerDuty, webhooks -- CSP alerts go through the same integrations as everything else
CSP Violation Spike
1 minute ago
87 script-src violations detected in the last hour on acme-corp.com.
Top blocked URI: cdn.analytics.evil.com/tracker.js | Source: app.js:142
See What Your CSP Is Blocking
Real browser violation reports analyzed, categorized, and presented in a single dashboard.
Violation Collection
Point your CSP report-uri at Metric Tower and violations flow in automatically. Supports both legacy report-uri and modern Reporting-Endpoints headers.
Directive Analysis
See which directives are most violated -- script-src, style-src, img-src, connect-src, and more. Identify policy gaps and fine-tune your CSP.
XSS Detection
CSP violations caused by inline script injection or eval() attempts are flagged as potential XSS. See attack patterns your CSP is actively blocking.
Three-Step Setup
Start collecting CSP violation reports in under five minutes.
Get your report endpoint
Sign up and MetricTower generates a unique CSP report endpoint URL for your team. No agent installation or code changes required.
Add to your CSP header
Add the report-uri or report-to directive to your Content-Security-Policy header. Use report-only mode first to collect data without blocking resources.
Review violations
Browsers start sending violation reports immediately. Filter by directive, URI, or time range. Use the data to tighten your CSP without breaking functionality.
# Option 1: report-uri (legacy, widest browser support)
Content-Security-Policy: default-src 'self'; report-uri https://metrictower.com/csp/YOUR_TOKEN;
# Option 2: Reporting-Endpoints (modern, recommended)
Reporting-Endpoints: csp-endpoint="https://metrictower.com/csp/YOUR_TOKEN"
Content-Security-Policy: default-src 'self'; report-to csp-endpoint;
# Option 3: Report-only mode (collect data without blocking)
Content-Security-Policy-Report-Only: default-src 'self'; report-uri https://metrictower.com/csp/YOUR_TOKEN;
More Than a Log Viewer
Structured analysis of CSP violations to help you build a tighter, more effective policy.
Directive Breakdown
See which directives trigger the most violations -- script-src, style-src, img-src, connect-src, font-src, and more. Click any directive to filter the table and focus on that category.
XSS Attempt Detection
Violations from inline scripts, eval(), and unknown external scripts are flagged as potential XSS attempts. See what your CSP is actively preventing and verify your defenses are working.
Flexible Filtering
Filter violations by directive, blocked URI, document URL, and time range. Focus on today's issues, the last 7 days, or view the full 30-day history before auto-purge.
Source File Tracking
Every violation includes the source file and line number where it occurred, plus the document URI that triggered the report. Pinpoint exactly where policy violations originate in your code.
Start Collecting CSP Violations Today
Collect violations from real browsers, categorize by directive, and detect XSS attempts -- all without touching your application code. Point your report-uri at Metric Tower and violations flow in automatically. No agent, no code changes, auto-purge after 30 days.