Title: CSP Violation Reporter
Author: Guilherme Dumas Peres
Published: <strong>May 28, 2026</strong>
Last modified: May 28, 2026

---

Search plugins

![](https://s.w.org/plugins/geopattern-icon/csp-violation-reporter.svg)

# CSP Violation Reporter

 By [Guilherme Dumas Peres](https://profiles.wordpress.org/guidumasperes/)

[Download](https://downloads.wordpress.org/plugin/csp-violation-reporter.0.1.1.zip)

 * [Details](https://vec.wordpress.org/plugins/csp-violation-reporter/#description)
 * [Reviews](https://vec.wordpress.org/plugins/csp-violation-reporter/#reviews)
 *  [Installation](https://vec.wordpress.org/plugins/csp-violation-reporter/#installation)
 * [Development](https://vec.wordpress.org/plugins/csp-violation-reporter/#developers)

 [Support](https://wordpress.org/support/plugin/csp-violation-reporter/)

## Description

CSP Violation Reporter adds a public WordPress REST endpoint for browser Content
Security Policy violation reports and stores received violations in a local database
table.

Reports can be reviewed from Tools > CSP Violations. The plugin supports the modern
Reporting API payload format as well as the older `csp-report` JSON shape.

Endpoint:

    ```
    /wp-json/csp-violation-reporter/v1/report
    ```

The plugin does not create or modify Content Security Policy headers. Site owners
should configure CSP headers in their web server, hosting dashboard, theme, or security
tooling.

Example report endpoint configuration:

    ```
    Content-Security-Policy: default-src 'self'; report-uri https://example.com/wp-json/csp-violation-reporter/v1/report
    ```

For the modern Reporting API, use an HTTPS endpoint:

    ```
    Reporting-Endpoints: csp-endpoint="https://example.com/wp-json/csp-violation-reporter/v1/report"

    Content-Security-Policy: default-src 'self'; report-to csp-endpoint
    ```

### Privacy

This plugin stores CSP violation reports submitted by browsers. Stored fields can
include the document URL, referrer URL, blocked URI, violated directive, source 
file, line and column numbers, a user agent string, a salted hash of the remote 
address, and the raw report payload.

The plugin does not store raw IP addresses and does not transmit report data to 
external services.

## Installation

 1. Upload the plugin folder to `/wp-content/plugins/`.
 2. Activate the plugin through the Plugins screen in WordPress.
 3. Open Tools > CSP Violations to copy the reporting endpoint.
 4. Configure your CSP Reporting API group and reference it from your `report-to` directive.

## FAQ

### Does this plugin set my CSP header?

No. This plugin receives and displays CSP violation reports. CSP header generation
is intentionally left to your theme, server, security plugin, or hosting environment.

### Is the report endpoint public?

Yes. Browser violation reports are sent without WordPress authentication. Admin 
views remain protected by the `manage_options` capability.

### Does the plugin store visitor IP addresses?

No. The plugin stores a salted hash of the remote address to help with deduplication
and abuse analysis without retaining the raw IP address.

### Does the plugin send data to third parties?

No. Reports are stored in the site’s own WordPress database.

## Reviews

There are no reviews for this plugin.

## Contributors & Developers

“CSP Violation Reporter” is open source software. The following people have contributed
to this plugin.

Contributors

 *   [ Guilherme Dumas Peres ](https://profiles.wordpress.org/guidumasperes/)

[Translate “CSP Violation Reporter” into your language.](https://translate.wordpress.org/projects/wp-plugins/csp-violation-reporter)

### Interested in development?

[Browse the code](https://plugins.trac.wordpress.org/browser/csp-violation-reporter/),
check out the [SVN repository](https://plugins.svn.wordpress.org/csp-violation-reporter/),
or subscribe to the [development log](https://plugins.trac.wordpress.org/log/csp-violation-reporter/)
by [RSS](https://plugins.trac.wordpress.org/log/csp-violation-reporter/?limit=100&mode=stop_on_copy&format=rss).

## Changelog

#### 0.1.1

 * Prepared SQL statements that include the plugin’s custom table name.

#### 0.1.0

 * Initial development release.

## Meta

 *  Version **0.1.1**
 *  Last updated **1 month ago**
 *  Active installations **Fewer than 10**
 *  WordPress version ** 6.5 or higher **
 *  Tested up to **7.0**
 *  PHP version ** 7.4 or higher **
 *  Language
 * [English (US)](https://wordpress.org/plugins/csp-violation-reporter/)
 * Tags
 * [content security policy](https://vec.wordpress.org/plugins/tags/content-security-policy/)
   [csp](https://vec.wordpress.org/plugins/tags/csp/)[reporting](https://vec.wordpress.org/plugins/tags/reporting/)
   [reports](https://vec.wordpress.org/plugins/tags/reports/)[security](https://vec.wordpress.org/plugins/tags/security/)
 *  [Advanced View](https://vec.wordpress.org/plugins/csp-violation-reporter/advanced/)

## Ratings

No reviews have been submitted yet.

[Your review](https://wordpress.org/support/plugin/csp-violation-reporter/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/csp-violation-reporter/reviews/)

## Contributors

 *   [ Guilherme Dumas Peres ](https://profiles.wordpress.org/guidumasperes/)

## Support

Got something to say? Need help?

 [View support forum](https://wordpress.org/support/plugin/csp-violation-reporter/)