WordPress.org

Arpitan

Get WordPress
WordPress.org

Plugin Directory

CSP Violation Reporter

CSP Violation Reporter

By Guilherme Dumas Peres
Download

Description

CSP Violation Reporter adds a public WordPress REST endpoint for browser Content Security Policy violation reports and stores received violations in a local database table.

Reports can be reviewed from Tools > CSP Violations. The plugin supports the modern Reporting API payload format as well as the older csp-report JSON shape.

Endpoint:

/wp-json/csp-violation-reporter/v1/report

The plugin does not create or modify Content Security Policy headers. Site owners should configure CSP headers in their web server, hosting dashboard, theme, or security tooling.

Example report endpoint configuration:

Content-Security-Policy: default-src 'self'; report-uri https://example.com/wp-json/csp-violation-reporter/v1/report

For the modern Reporting API, use an HTTPS endpoint:

Reporting-Endpoints: csp-endpoint="https://example.com/wp-json/csp-violation-reporter/v1/report"

Content-Security-Policy: default-src 'self'; report-to csp-endpoint

Privacy

This plugin stores CSP violation reports submitted by browsers. Stored fields can include the document URL, referrer URL, blocked URI, violated directive, source file, line and column numbers, a user agent string, a salted hash of the remote address, and the raw report payload.

The plugin does not store raw IP addresses and does not transmit report data to external services.

Installation

  1. Upload the plugin folder to /wp-content/plugins/.
  2. Activate the plugin through the Plugins screen in WordPress.
  3. Open Tools > CSP Violations to copy the reporting endpoint.
  4. Configure your CSP Reporting API group and reference it from your report-to directive.

FAQ

Does this plugin set my CSP header?

No. This plugin receives and displays CSP violation reports. CSP header generation is intentionally left to your theme, server, security plugin, or hosting environment.

Is the report endpoint public?

Yes. Browser violation reports are sent without WordPress authentication. Admin views remain protected by the manage_options capability.

Does the plugin store visitor IP addresses?

No. The plugin stores a salted hash of the remote address to help with deduplication and abuse analysis without retaining the raw IP address.

Does the plugin send data to third parties?

No. Reports are stored in the site’s own WordPress database.

Reviews

There are no reviews for this plugin.

Contributors & Developers

“CSP Violation Reporter” is open source software. The following people have contributed to this plugin.

Contributors

Translate “CSP Violation Reporter” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

0.1.1

  • Prepared SQL statements that include the plugin’s custom table name.

0.1.0

  • Initial development release.

Meta

Ratings

No reviews have been submitted yet.

Your review

See all reviews

Support

Got something to say? Need help?

View support forum