When something on a page violates the Content-Security-Policy, and the policy defines a report-uri
directive, the user agent may POST a report. Reports are JSON blobs containing information about how the policy was violated.
Note: django-csp no longer handles report processing itself, so you will need to stand up your own app to receive them, or else make use of a third-party report processing service.
To throttle the number of requests made to your report-uri
endpoint, you can use csp.contrib.rate_limiting.RateLimitedCSPMiddleware
instead of csp.middleware.CSPMiddleware
and set the CSP_REPORT_PERCENTAGE
option:
CSP_REPORT_PERCENTAGE
Percentage of requests that should see the
report-uri
directive. Use this to throttle the number of CSP violation reports made to yourCSP_REPORT_URI
. A float between 0 and 1 (0 = no reports at all). Ignored ifCSP_REPORT_URI
isn't set.