{"componentChunkName":"component---src-templates-doc-tsx","path":"/product/security-policy-reporting/","result":{"data":{"file":{"id":"9450d096-1a72-5475-be33-7e55183421de","relativePath":"product/security-policy-reporting.mdx","sourceInstanceName":"docs","childMarkdownRemark":null,"childMdx":{"body":"function _extends() { _extends = Object.assign || function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i]; for (var key in source) { if (Object.prototype.hasOwnProperty.call(source, key)) { target[key] = source[key]; } } } return target; }; return _extends.apply(this, arguments); }\n\nfunction _objectWithoutProperties(source, excluded) { if (source == null) return {}; var target = _objectWithoutPropertiesLoose(source, excluded); var key, i; if (Object.getOwnPropertySymbols) { var sourceSymbolKeys = Object.getOwnPropertySymbols(source); for (i = 0; i < sourceSymbolKeys.length; i++) { key = sourceSymbolKeys[i]; if (excluded.indexOf(key) >= 0) continue; if (!Object.prototype.propertyIsEnumerable.call(source, key)) continue; target[key] = source[key]; } } return target; }\n\nfunction _objectWithoutPropertiesLoose(source, excluded) { if (source == null) return {}; var target = {}; var sourceKeys = Object.keys(source); var key, i; for (i = 0; i < sourceKeys.length; i++) { key = sourceKeys[i]; if (excluded.indexOf(key) >= 0) continue; target[key] = source[key]; } return target; }\n\n/* @jsx mdx */\nvar _frontmatter = {\n  \"title\": \"Security Policy Reporting\",\n  \"sidebar_order\": 6,\n  \"redirect_from\": [\"/learn/security-policy-reporting/\", \"/error-reporting/security-policy-reporting/\", \"/platforms/javascript/security-policy-reporting/\"]\n};\n\nvar makeShortcode = function makeShortcode(name) {\n  return function MDXDefaultShortcode(props) {\n    console.warn(\"Component \" + name + \" was not imported, exported, or provided by MDXProvider as global scope\");\n    return mdx(\"div\", props);\n  };\n};\n\nvar CodeTabs = makeShortcode(\"CodeTabs\");\nvar CodeBlock = makeShortcode(\"CodeBlock\");\nvar layoutProps = {\n  _frontmatter: _frontmatter\n};\nvar MDXLayout = \"wrapper\";\nreturn function MDXContent(_ref) {\n  var components = _ref.components,\n      props = _objectWithoutProperties(_ref, [\"components\"]);\n\n  return mdx(MDXLayout, _extends({}, layoutProps, props, {\n    components: components,\n    mdxType: \"MDXLayout\"\n  }), mdx(\"p\", null, \"Sentry provides the ability to collect information on \", mdx(\"a\", _extends({\n    parentName: \"p\"\n  }, {\n    \"href\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\"\n  }), \"Content-Security-Policy (CSP)\"), \" violations, as well as \", mdx(\"a\", _extends({\n    parentName: \"p\"\n  }, {\n    \"href\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT\"\n  }), \"Expect-CT\"), \" and \", mdx(\"a\", _extends({\n    parentName: \"p\"\n  }, {\n    \"href\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning\"\n  }), \"HTTP Public Key Pinning (HPKP)\"), \" failures by setting the proper HTTP header which results in violation/failure to be sent to Sentry endpoint specified in \", mdx(\"em\", {\n    parentName: \"p\"\n  }, \"report-uri\"), \".\"), mdx(\"p\", null, \"The integration process consists of configuring the appropriate header with your project key\\u2019s Security Header endpoint found at \", mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"Project Settings > Security Headers\"), \".\"), mdx(\"h2\", {\n    \"id\": \"content-security-policy\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", _extends({\n    parentName: \"h2\"\n  }, {\n    \"href\": \"#content-security-policy\",\n    \"aria-label\": \"content security policy permalink\",\n    \"className\": \"anchor before\"\n  }), mdx(\"svg\", _extends({\n    parentName: \"a\"\n  }, {\n    \"viewBox\": \"0 0 24 24\",\n    \"xmlns\": \"http://www.w3.org/2000/svg\"\n  }), mdx(\"path\", _extends({\n    parentName: \"svg\"\n  }, {\n    \"d\": \"M10.879 6.05L15 1.93A5.001 5.001 0 0 1 22.071 9l-4.121 4.121a1 1 0 0 1-1.414-1.414l4.12-4.121a3 3 0 1 0-4.242-4.243l-4.121 4.121a1 1 0 1 1-1.414-1.414zm2.242 11.9L9 22.07A5 5 0 1 1 1.929 15l4.121-4.121a1 1 0 0 1 1.414 1.414l-4.12 4.121a3 3 0 1 0 4.242 4.243l4.121-4.121a1 1 0 1 1 1.414 1.414zm-8.364-.122l13.071-13.07a1 1 0 0 1 1.415 1.414L6.172 19.242a1 1 0 1 1-1.415-1.414z\",\n    \"fill\": \"currentColor\"\n  })))), \"Content-Security-Policy\"), mdx(\"p\", null, mdx(\"a\", _extends({\n    parentName: \"p\"\n  }, {\n    \"href\": \"https://en.wikipedia.org/wiki/Content_Security_Policy\"\n  }), \"Content-Security-Policy\"), \" (CSP) is a security standard which helps prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. It\\u2019s enforced by browser vendors, and Sentry supports capturing CSP violations using the standard reporting hooks.\"), mdx(\"p\", null, \"To configure CSP reports in Sentry, you\\u2019ll need to send a header from your server describing your policy, as well specifying the authenticated Sentry endpoint:\"), mdx(\"div\", {\n    \"className\": \"code-tabs-wrapper\"\n  }, mdx(CodeTabs, {\n    mdxType: \"CodeTabs\"\n  }, mdx(CodeBlock, {\n    language: \"\",\n    title: \"\",\n    filename: \"\",\n    mdxType: \"CodeBlock\"\n  }, mdx(\"div\", _extends({\n    parentName: \"div\"\n  }, {\n    \"className\": \"gatsby-highlight\",\n    \"data-language\": \"text\"\n  }), mdx(\"pre\", _extends({\n    parentName: \"div\"\n  }, {\n    \"className\": \"language-text\"\n  }), mdx(\"code\", _extends({\n    parentName: \"pre\"\n  }, {\n    \"className\": \"language-text\"\n  }), \"Content-Security-Policy: ...; report-uri https://___ORG_INGEST_DOMAIN___/api/___PROJECT_ID___/security/?sentry_key=___PUBLIC_KEY___\")))))), mdx(\"p\", null, \"Alternatively you can setup CSP reports to simply send reports rather than actually enforcing the policy:\"), mdx(\"div\", {\n    \"className\": \"code-tabs-wrapper\"\n  }, mdx(CodeTabs, {\n    mdxType: \"CodeTabs\"\n  }, mdx(CodeBlock, {\n    language: \"\",\n    title: \"\",\n    filename: \"\",\n    mdxType: \"CodeBlock\"\n  }, mdx(\"div\", _extends({\n    parentName: \"div\"\n  }, {\n    \"className\": \"gatsby-highlight\",\n    \"data-language\": \"text\"\n  }), mdx(\"pre\", _extends({\n    parentName: \"div\"\n  }, {\n    \"className\": \"language-text\"\n  }), mdx(\"code\", _extends({\n    parentName: \"pre\"\n  }, {\n    \"className\": \"language-text\"\n  }), \"Content-Security-Policy-Report-Only: ...; report-uri https://___ORG_INGEST_DOMAIN___/api/___PROJECT_ID___/security/?sentry_key=___PUBLIC_KEY___\")))))), mdx(\"p\", null, \"For more information, see the article on \", mdx(\"a\", _extends({\n    parentName: \"p\"\n  }, {\n    \"href\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\"\n  }), \"MDN\"), \".\"), mdx(\"h2\", {\n    \"id\": \"id2\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", _extends({\n    parentName: \"h2\"\n  }, {\n    \"href\": \"#id2\",\n    \"aria-label\": \"id2 permalink\",\n    \"className\": \"anchor before\"\n  }), mdx(\"svg\", _extends({\n    parentName: \"a\"\n  }, {\n    \"viewBox\": \"0 0 24 24\",\n    \"xmlns\": \"http://www.w3.org/2000/svg\"\n  }), mdx(\"path\", _extends({\n    parentName: \"svg\"\n  }, {\n    \"d\": \"M10.879 6.05L15 1.93A5.001 5.001 0 0 1 22.071 9l-4.121 4.121a1 1 0 0 1-1.414-1.414l4.12-4.121a3 3 0 1 0-4.242-4.243l-4.121 4.121a1 1 0 1 1-1.414-1.414zm2.242 11.9L9 22.07A5 5 0 1 1 1.929 15l4.121-4.121a1 1 0 0 1 1.414 1.414l-4.12 4.121a3 3 0 1 0 4.242 4.243l4.121-4.121a1 1 0 1 1 1.414 1.414zm-8.364-.122l13.071-13.07a1 1 0 0 1 1.415 1.414L6.172 19.242a1 1 0 1 1-1.415-1.414z\",\n    \"fill\": \"currentColor\"\n  })))), \"Expect-CT\"), mdx(\"p\", null, mdx(\"a\", _extends({\n    parentName: \"p\"\n  }, {\n    \"href\": \"https://en.wikipedia.org/wiki/Certificate_Transparency\"\n  }), \"Certificate Transparency\"), \" (CT) is a security standard which helps track and identify valid certificates, allowing identification of maliciously issued certificates.\"), mdx(\"p\", null, \"To configure reports in Sentry, you\\u2019ll need to configure the Expect-CT a header from your server:\"), mdx(\"div\", {\n    \"className\": \"code-tabs-wrapper\"\n  }, mdx(CodeTabs, {\n    mdxType: \"CodeTabs\"\n  }, mdx(CodeBlock, {\n    language: \"\",\n    title: \"\",\n    filename: \"\",\n    mdxType: \"CodeBlock\"\n  }, mdx(\"div\", _extends({\n    parentName: \"div\"\n  }, {\n    \"className\": \"gatsby-highlight\",\n    \"data-language\": \"text\"\n  }), mdx(\"pre\", _extends({\n    parentName: \"div\"\n  }, {\n    \"className\": \"language-text\"\n  }), mdx(\"code\", _extends({\n    parentName: \"pre\"\n  }, {\n    \"className\": \"language-text\"\n  }), \"Expect-CT: ..., report-uri=\\\"https://___ORG_INGEST_DOMAIN___/api/___PROJECT_ID___/security/?sentry_key=___PUBLIC_KEY___\\\"\")))))), mdx(\"p\", null, \"For more information, see the article on \", mdx(\"a\", _extends({\n    parentName: \"p\"\n  }, {\n    \"href\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT\"\n  }), \"MDN\"), \".\"), mdx(\"h2\", {\n    \"id\": \"http-public-key-pinning\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", _extends({\n    parentName: \"h2\"\n  }, {\n    \"href\": \"#http-public-key-pinning\",\n    \"aria-label\": \"http public key pinning permalink\",\n    \"className\": \"anchor before\"\n  }), mdx(\"svg\", _extends({\n    parentName: \"a\"\n  }, {\n    \"viewBox\": \"0 0 24 24\",\n    \"xmlns\": \"http://www.w3.org/2000/svg\"\n  }), mdx(\"path\", _extends({\n    parentName: \"svg\"\n  }, {\n    \"d\": \"M10.879 6.05L15 1.93A5.001 5.001 0 0 1 22.071 9l-4.121 4.121a1 1 0 0 1-1.414-1.414l4.12-4.121a3 3 0 1 0-4.242-4.243l-4.121 4.121a1 1 0 1 1-1.414-1.414zm2.242 11.9L9 22.07A5 5 0 1 1 1.929 15l4.121-4.121a1 1 0 0 1 1.414 1.414l-4.12 4.121a3 3 0 1 0 4.242 4.243l4.121-4.121a1 1 0 1 1 1.414 1.414zm-8.364-.122l13.071-13.07a1 1 0 0 1 1.415 1.414L6.172 19.242a1 1 0 1 1-1.415-1.414z\",\n    \"fill\": \"currentColor\"\n  })))), \"HTTP Public Key Pinning\"), mdx(\"p\", null, mdx(\"a\", _extends({\n    parentName: \"p\"\n  }, {\n    \"href\": \"https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning\"\n  }), \"HTTP Public Key Pinning\"), \" (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. It\\u2019s enforced by browser vendors, and Sentry supports capturing violations using the standard reporting hooks.\"), mdx(\"p\", null, \"To configure HPKP reports in Sentry, you\\u2019ll need to send a header from your server describing your policy, as well specifying the authenticated Sentry endpoint:\"), mdx(\"div\", {\n    \"className\": \"code-tabs-wrapper\"\n  }, mdx(CodeTabs, {\n    mdxType: \"CodeTabs\"\n  }, mdx(CodeBlock, {\n    language: \"\",\n    title: \"\",\n    filename: \"\",\n    mdxType: \"CodeBlock\"\n  }, mdx(\"div\", _extends({\n    parentName: \"div\"\n  }, {\n    \"className\": \"gatsby-highlight\",\n    \"data-language\": \"text\"\n  }), mdx(\"pre\", _extends({\n    parentName: \"div\"\n  }, {\n    \"className\": \"language-text\"\n  }), mdx(\"code\", _extends({\n    parentName: \"pre\"\n  }, {\n    \"className\": \"language-text\"\n  }), \"Public-Key-Pins: ...; report-uri=\\\"https://___ORG_INGEST_DOMAIN___/api/___PROJECT_ID___/security/?sentry_key=___PUBLIC_KEY___\\\"\")))))), mdx(\"p\", null, \"For more information, see the article on \", mdx(\"a\", _extends({\n    parentName: \"p\"\n  }, {\n    \"href\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning\"\n  }), \"MDN\"), \".\"), mdx(\"h2\", {\n    \"id\": \"additional-configuration\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", _extends({\n    parentName: \"h2\"\n  }, {\n    \"href\": \"#additional-configuration\",\n    \"aria-label\": \"additional configuration permalink\",\n    \"className\": \"anchor before\"\n  }), mdx(\"svg\", _extends({\n    parentName: \"a\"\n  }, {\n    \"viewBox\": \"0 0 24 24\",\n    \"xmlns\": \"http://www.w3.org/2000/svg\"\n  }), mdx(\"path\", _extends({\n    parentName: \"svg\"\n  }, {\n    \"d\": \"M10.879 6.05L15 1.93A5.001 5.001 0 0 1 22.071 9l-4.121 4.121a1 1 0 0 1-1.414-1.414l4.12-4.121a3 3 0 1 0-4.242-4.243l-4.121 4.121a1 1 0 1 1-1.414-1.414zm2.242 11.9L9 22.07A5 5 0 1 1 1.929 15l4.121-4.121a1 1 0 0 1 1.414 1.414l-4.12 4.121a3 3 0 1 0 4.242 4.243l4.121-4.121a1 1 0 1 1 1.414 1.414zm-8.364-.122l13.071-13.07a1 1 0 0 1 1.415 1.414L6.172 19.242a1 1 0 1 1-1.415-1.414z\",\n    \"fill\": \"currentColor\"\n  })))), \"Additional Configuration\"), mdx(\"p\", null, \"In addition to the \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"sentry_key\"), \" parameter, you may also pass the following within the querystring for the report URI:\"), mdx(\"p\", null, mdx(\"dl\", {\n    parentName: \"p\"\n  }, mdx(\"dt\", {\n    parentName: \"dl\"\n  }, mdx(\"inlineCode\", {\n    parentName: \"dt\"\n  }, \"sentry_environment\")), mdx(\"dd\", {\n    parentName: \"dl\"\n  }, \"The environment name (e.g. production).\"))), mdx(\"p\", null, mdx(\"dl\", {\n    parentName: \"p\"\n  }, mdx(\"dt\", {\n    parentName: \"dl\"\n  }, mdx(\"inlineCode\", {\n    parentName: \"dt\"\n  }, \"sentry_release\")), mdx(\"dd\", {\n    parentName: \"dl\"\n  }, \"The version of the application.\"))));\n}\n;\nMDXContent.isMDXComponent = true;","tableOfContents":{"items":[{"url":"#content-security-policy","title":"Content-Security-Policy"},{"url":"#expect-ct-id2","title":"Expect-CT {#id2}"},{"url":"#http-public-key-pinning","title":"HTTP Public Key Pinning"},{"url":"#additional-configuration","title":"Additional Configuration"}]},"internal":{"type":"Mdx"}}}},"pageContext":{"excerpt":"Sentry provides the ability to collect information on  Content-Security-Policy (CSP)  violations, as well as  Expect-CT  and  HTTP Public Key Pinning (HPKP)  failures by setting the proper HTTP header which results in violation/failure to be sent to Sentry endpoint specified in  report-uri . The integration process consists of configuring the appropriate header with your project key’s Security Header endpoint found at  Project Settings > Security Headers . Content-Security-Policy Content-Security-Policy  (CSP) is a security standard which helps prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. It’s enforced by browser vendors, and Sentry supports capturing CSP violations using the standard reporting hooks. To configure CSP reports in Sentry, you’ll need to send a header from your server describing your policy, as well specifying the authenticated Sentry endpoint: Alternatively you can setup CSP reports to simply send reports rather than actually enforcing the policy: For more information, see the article on  MDN . Expect-CT {#id2} Certificate Transparency  (CT) is a security standard which helps track and identify valid certificates, allowing identification of maliciously issued certificates. To configure reports in Sentry, you’ll need to configure the Expect-CT a header from your server: For more information, see the article on  MDN . HTTP Public Key Pinning HTTP Public Key Pinning  (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. It’s enforced by browser vendors, and Sentry supports capturing violations using the standard reporting hooks. To configure HPKP reports in Sentry, you’ll need to send a header from your server describing your policy, as well specifying the authenticated Sentry endpoint: For more information, see the article on  MDN . Additional Configuration In addition to the  sentry_key  parameter, you may also pass the following within the querystring for the report URI: sentry_environment : The environment name (e.g. production). sentry_release : The version of the application.","title":"Security Policy Reporting","description":null,"draft":null,"noindex":null,"notoc":null,"sidebar_order":6,"redirect_from":["/learn/security-policy-reporting/","/error-reporting/security-policy-reporting/","/platforms/javascript/security-policy-reporting/"],"keywords":null,"id":"9450d096-1a72-5475-be33-7e55183421de","legacy":false}},"staticQueryHashes":["1218203755","1222113826","1222113826","1766336459","2158593473","2764967025","3345802723","3818502851","3990806462","4015007367","4192517163","4264099332","518019976"]}