CSP Violation Reports

When something on a page violates the Content-Security-Policy, and the policy defines a report-uri directive, the user agent may POST a report. Reports are JSON blobs containing information about how the policy was violated.

Note: django-csp no longer handles report processing itself, so you will need to stand up your own app to receive them, or else make use of a third-party report processing service.

Throttling the number of reports

To throttle the number of requests made to your report-uri endpoint, you can use csp.contrib.rate_limiting.RateLimitedCSPMiddleware instead of csp.middleware.CSPMiddleware and set the CSP_REPORT_PERCENTAGE option:


Percentage of requests that should see the report-uri directive. Use this to throttle the number of CSP violation reports made to your CSP_REPORT_URI. A float between 0 and 1 (0 = no reports at all). Ignored if CSP_REPORT_URI isn’t set.