Content Security Policy (CSP) Reporting Configuration

Learn how to configure Content Security Policy reporting with c/side's reporting endpoint. CSP reporting is available across all c/side subscription tiers.

Service Limits

PlanRetention PeriodEvent Capacity
Free30 days500,000 events
Business90 days2,000,000 events
Enterprise90 days in dashboard 365 cold storageUnlimited events

Implementation Guide

Step 1: Configure CSP Headers

Content Security Policy uses directives to control resource loading and execution. For a comprehensive list of available directives, refer to the Mozilla Developer Documentation.

Deployment Modes

CSP supports two operational modes:

  • Report-Only Mode: Monitors violations without enforcement
  • Enforcement Mode: Actively blocks policy violations

Best Practice: Implement CSP through HTTP response headers rather than HTML meta tags for enhanced security.

Implementation Recommendations

  1. Begin with Report-Only mode for impact assessment
  2. Implement essential directives first:
    • script-src: Control JavaScript source origins
    • image-src: Manage image loading sources
    • font-src: Restrict font loading sources
  3. Use script-src 'self' as a baseline security measure

Note: Automated CSP configuration tooling is scheduled for release in Q3 2025.

Step 2: Configure Reporting Endpoint

Implement the following headers in your configuration:

Content-Security-Policy Header

Content-Security-Policy: default-src 'self'; script-src 'self'; report-uri https://proxy.csidetm.com/csp; report-to csp-endpoint;

CSP Endpoint Definition

csp-endpoint="https://proxy.csidetm.com/csp"

Report-To Header

Report-To: {"group":"csp-endpoint","max_age":10886400,"endpoints":[{"url":"https://proxy.csidetm.com/csp"}]}

Best Practices and Considerations

Important: Always make sure to add proxy.csidetm.com/* to your script-src and connect-src directives.

Environment Management

CSP implementation often varies between development and production environments. Maintain consistent CSP configurations across all environments to prevent deployment issues and security gaps.

Policy Design Strategy

Balance your CSP implementation between:

  • Strict Policies: Enhanced security through specific rules, but requires more maintenance
  • Permissive Policies: Easier maintenance but may introduce security vulnerabilities

c/side's monitoring capabilities enable you to implement broader rules while maintaining security through comprehensive violation reporting and analysis.

Known Challenges

The connect-src directive requires careful consideration due to dynamic client-side dependencies. When implementing this directive...

Previous

Okta SSO

Next

How does the script work?

On this page

Service LimitsImplementation GuideStep 1: Configure CSP HeadersDeployment ModesImplementation RecommendationsStep 2: Configure Reporting EndpointBest Practices and ConsiderationsEnvironment ManagementPolicy Design StrategyKnown Challenges