Service aims to make CSP violation reports easier to get

For a couple of years security pros have browser tools to combat Web page cross-site scripting and related attacks. One is called Content Security Policy (CSP), an HTTP header that defines a whitelist of sources (a domain) that any type of content on browser pages can be loaded from.

If an attempt is made to load content from a domain not on the list it doesn’t get through. A similar capability called HTTP Public Key Pinning (HPKP) does much the same thing, allowing admins to define a whitelist of cryptographic identities that the browser should trust for the site

One problem is easily setting up a system leveraging CSP or HPKP to warn administrators an attack is taking place. Scott Helme, a British IT security consultant, has started a free service to do that.

Called report-uri, he says it was built “to make the violation reporting aspect easy and to draw attention to the ease of deploying these security policies with the hope of increasing their usage.”

Briefly, admins register their sites so JSON-formatted violation reports are forwarded to There administrators can monitor the reports in real time, seeing what security policies are being triggered, where and why. No other customer or Web site data is collected.

Helme says his service solves the problems of receiving, storing and querying reports on premise. Reports show the type of violation (CSP or HPKP), the data, the URI and the blocked URI and its raw code. Graphs are available as well. A Top 10 section allows admins to see which pages on their site are the worst offenders and what the majority of violations are being caused by.

Registration is free for basic features, including collecting and viewing reports. In the future, Helme says, he may charge for premium features.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web