Security Policy Reporting
Sentry provides the ability to collect information on Content-Security-Policy (CSP) violations, as well as Expect-CT and HTTP Public Key Pinning (HPKP) failures by setting the proper HTTP header which results in the violation or failure to be sent to Sentry endpoint specified in report-uri.
The integration process consists of configuring the appropriate header with your project key’s Security Header endpoint found at Project Settings > Security Headers.
Content-Security-Policy (CSP) is a security standard that helps prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from the execution of malicious content in the trusted web page context. It’s enforced by browser vendors, and Sentry supports capturing CSP violations using the standard CSP reporting hooks.
To configure CSP reports in Sentry, you’ll need to send a header from your server describing your policy and specifying the authenticated Sentry endpoint:
Content-Security-Policy: ...;
report-uri https://o0.ingest.sentry.io/api/0/security/?sentry_key=examplePublicKey;
report-to csp-endpoint
Report-To: {"group":"csp-endpoint","max_age":10886400,"endpoints":[{"url":"https://o0.ingest.sentry.io/api/0/security/?sentry_key=examplePublicKey"}],"include_subdomains":true}
Compatibility Recommendation
Though the report-to
directive is intended to replace the deprecated report-uri
directive, report-to
isn't supported in most browsers yet. So for compatibility with current browsers while also adding forward compatibility when browsers get report-to
support, you can specify both report-uri
and report-to
in your Content-Security-Policy (CSP).
Alternatively, you can set up CSP reports to simply send reports rather than enforcing the policy:
Content-Security-Policy-Report-Only: ...;
report-uri https://o0.ingest.sentry.io/api/0/security/?sentry_key=examplePublicKey;
report-to csp-endpoint
Report-To: {"group":"csp-endpoint","max_age":10886400,"endpoints":[{"url":"https://o0.ingest.sentry.io/api/0/security/?sentry_key=examplePublicKey"}],"include_subdomains":true}
When defining your policy it is important to ensure that sentry.io
or your self-hosted Sentry domain is in your default-src
or connect-src
policy, or browsers will block requests that submit policy violations.
For more information, see the article on MDN.
Certificate Transparency (CT) is a security standard that helps track and identify valid certificates, allowing identification of maliciously issued certificates.
To configure reports in Sentry, you’ll need to configure the Expect-CT header from your server:
Expect-CT: ..., report-uri="https://o0.ingest.sentry.io/api/0/security/?sentry_key=examplePublicKey"
For more information, see the article on MDN.
HTTP Public Key Pinning (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. It’s enforced by browser vendors, and Sentry supports capturing violations using the standard reporting hooks.
To configure HPKP reports in Sentry, you’ll need to send a header from your server describing your policy and specify the authenticated Sentry endpoint:
Public-Key-Pins: ...; report-uri="https://o0.ingest.sentry.io/api/0/security/?sentry_key=examplePublicKey"
For more information, see the article on MDN.
In addition to the sentry_key
parameter, you may also pass the following within the query string for the report URI:
sentry_environment
The environment name (for example, production). The environment name is case-sensitive and can't contain new lines, spaces, or forward slashes. It can't be the string "None" or exceed 64 characters.
sentry_release
The version of the application.
Our documentation is open source and available on GitHub. Your contributions are welcome, whether fixing a typo (drat!) or suggesting an update ("yeah, this would be better").