Content Security Policy (CSP) report-uri Uses HTTP
Description
The Content Security Policy (CSP) on the target application includes a report-uri directive that uses an insecure HTTP endpoint instead of HTTPS. When CSP violations occur, browsers send violation reports to the specified URI. Using HTTP for this reporting mechanism exposes these reports to interception and tampering during transmission, potentially revealing sensitive information about the application's security posture and user behavior.
Remediation
Update the Content Security Policy to use HTTPS for the report-uri directive. This ensures violation reports are transmitted securely and cannot be intercepted or modified in transit.
For HTTP Response Headers:
Modify the Content-Security-Policy header to use an HTTPS endpoint:
Content-Security-Policy: default-src 'self'; report-uri https://example.com/csp-reports
Note: The report-uri directive is deprecated in favor of the report-to directive. Consider migrating to the newer Reporting API:
Content-Security-Policy: default-src 'self'; report-to csp-endpoint
Report-To: {"group":"csp-endpoint","max_age":10886400,"endpoints":[{"url":"https://example.com/csp-reports"}]}Important: CSP reporting directives (report-uri and report-to) are only supported in HTTP response headers and will not function if configured in HTML <meta> tags. Ensure your CSP is delivered via the Content-Security-Policy HTTP response header.