Security Policy Reporting

Sentry provides the ability to collect information on Content-Security-Policy (CSP) violations, as well as Expect-CT and HTTP Public Key Pinning (HPKP) failures by setting the proper HTTP header which results in the violation or failure to be sent to Sentry endpoint specified in report-uri.

The integration process consists of configuring the appropriate header with your project key’s Security Header endpoint found at Project Settings > Security Headers.

Content-Security-Policy (CSP) is a security standard that helps prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from the execution of malicious content in the trusted web page context. It’s enforced by browser vendors, and Sentry supports capturing CSP violations using the standard CSP reporting hooks.

To configure CSP reports in Sentry, you’ll need to send a header from your server describing your policy and specifying the authenticated Sentry endpoint:

Copied
Content-Security-Policy: ...;
    report-uri https://o0.ingest.sentry.io/api/0/security/?sentry_key=examplePublicKey;
    report-to csp-endpoint

Report-To: {"group":"csp-endpoint","max_age":10886400,"endpoints":[{"url":"https://o0.ingest.sentry.io/api/0/security/?sentry_key=examplePublicKey"}],"include_subdomains":true}

Alternatively, you can set up CSP reports to simply send reports rather than enforcing the policy:

Copied
Content-Security-Policy-Report-Only: ...;
    report-uri https://o0.ingest.sentry.io/api/0/security/?sentry_key=examplePublicKey;
    report-to csp-endpoint

Report-To: {"group":"csp-endpoint","max_age":10886400,"endpoints":[{"url":"https://o0.ingest.sentry.io/api/0/security/?sentry_key=examplePublicKey"}],"include_subdomains":true}

When defining your policy it is important to ensure that sentry.io or your self-hosted Sentry domain is in your default-src or connect-src policy, or browsers will block requests that submit policy violations.

For more information, see the article on MDN.

Certificate Transparency (CT) is a security standard that helps track and identify valid certificates, allowing identification of maliciously issued certificates.

To configure reports in Sentry, you’ll need to configure the Expect-CT header from your server:

Copied
Expect-CT: ..., report-uri="https://o0.ingest.sentry.io/api/0/security/?sentry_key=examplePublicKey"

For more information, see the article on MDN.

HTTP Public Key Pinning (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. It’s enforced by browser vendors, and Sentry supports capturing violations using the standard reporting hooks.

To configure HPKP reports in Sentry, you’ll need to send a header from your server describing your policy and specify the authenticated Sentry endpoint:

Copied
Public-Key-Pins: ...; report-uri="https://o0.ingest.sentry.io/api/0/security/?sentry_key=examplePublicKey"

For more information, see the article on MDN.

In addition to the sentry_key parameter, you may also pass the following within the query string for the report URI:

sentry_environment

The environment name (for example, production). The environment name is case-sensitive and can't contain new lines, spaces, or forward slashes. It can't be the string "None" or exceed 64 characters.

sentry_release

The version of the application.

Help improve this content
Our documentation is open source and available on GitHub. Your contributions are welcome, whether fixing a typo (drat!) or suggesting an update ("yeah, this would be better").