Content Security Policy (CSP) Contains Out of Scope report-uri Domain
Description
The Content Security Policy (CSP) configured for this application includes a report-uri directive that points to a domain outside the scope of the current scan target. While this configuration is technically valid, it may indicate an unintended misconfiguration, outdated policy settings, or reliance on third-party reporting services that could pose privacy or operational concerns. This finding highlights a potential gap between the intended CSP configuration and the actual deployment.
Remediation
Review the current Content Security Policy configuration and verify that all report-uri (or report-to) directives point to domains under your organization's control and within the intended scope of your application.
1. Identify all CSP headers and meta tags containing report-uri or report-to directives
2. Verify that reporting endpoints are intentional, actively monitored, and properly secured
3. Remove or update any outdated or unintended reporting domains
4. Consider migrating from the deprecated report-uri directive to the newer report-to directive with proper endpoint configuration
5. Ensure reporting endpoints use HTTPS and implement appropriate access controls
Example of updating CSP header to use an in-scope reporting endpoint:
Content-Security-Policy: default-src 'self'; report-uri https://your-domain.com/csp-reports; report-to csp-endpoint
Configure the report-to endpoint group:
Report-To: {"group":"csp-endpoint","max_age":10886400,"endpoints":[{"url":"https://your-domain.com/csp-reports"}]}