Why does my site receive lots of requests to /report-csp-violation? | Acquia Product Documentation
Cloud Platform
Why does my site receive lots of requests to /report-csp-violation?
Why does my site receive lots of requests to /report-csp-violation?
Date Published: September 27, 2023
If your site receives many requests to the /report-csp-violation URL, the common cause is that site has been configured to do so, by the Drupal contrib module 'seckit' (Security Kit).
This module's behavior can be turned off or configured within your Drupal site at /admin/config/system/seckit
The Security Kit module is meant to improve security. Normally, a site admin that uses this module also knows that they need to continuously monitor and fix the "Violation" reports that are being sent in automatically (by web browsers being used by site visitors) via the /report-csp-violation URL which causes the seckit module to log each report via Drupal's watchdog system.
As an example, here are some of the log entries that can be obtained from the Drupal watchdog log:
Example 1:
Mar 8 06:30:04 web-12345 mysite[26974]: https://www.mysite.org|1646721004|seckit|ffff:7000:ffff:af14:ffff:47f9:19a1:d2d2|https://www.mysite.org/report-csp-violation|https://www.mysite.org/vaccineswork/what-we-know-about-new-b11529-coronavirus-variant-so-far?gclid=Cj0KCQiA95aRBhCsARIsAC2xvfxuvjWxvm9u3YhWQOW3k-MnpAE0BBy5mMRezOo-r_YcE-wfS6YJQjkaAnijEALw_wcB|0||CSP: Directive script-src-elem violated. Blocked URI: https://platform-api.sharethis.com/js/sharethis.js. Data: stdClass Object
Mar 8 06:30:04 web-12345 mysite[26974]: (
Mar 8 06:30:04 web-12345 mysite[26974]: [document-uri] => https://www.mysite.org/node/1
Mar 8 06:30:04 web-12345 mysite[26974]: [referrer] => https://www.google.com/
Mar 8 06:30:04 web-12345 mysite[26974]: [violated-directive] => script-src-elem
Mar 8 06:30:04 web-12345 mysite[26974]: [effective-directive] => script-src-elem
{ ... snip ... }
From the above examples, these report entries tell you that scripts that come from external sources (platform-api.sharethis.com and www.gstatic.cn) were blocked by browsers, because your application is sending HTTP CSP headers (either through the seckit module or other methods) that direct the browser to block or allow elements coming from certain external sources.
Ideally, if a site builder is interested in implementing Content-Security-Policy (CSP) directives, they would:
(A) monitor these warnings being reported
... and (B) fix anything that needs to be fixed on the site.
The topic of "what to fix" lies beyond what Acquia Support can assist you with. This would require knowledge of business logic to understand:
Which scripts, fonts, and other page resources that come from external sources should be allowed
The impact of enabling browsers to send back report to your Acquia-hosted site vs. disabling (and/or sending the reports to a non-Acquia vendor like https://report-uri.com/ or other options)
If you do not want to do all of the above, some short-term options are to:
(A) Turn off the self-reporting mechanism of the seckit module within your Drupal site at /admin/config/system/seckit (remember to clear Drupal and Varnish/CDN caches afterwards)
... and/or (B) disable the seckit module temporarily/completely until you plan your next steps.
If you wish to implement CSP directives but feel you need more help, do contact your Acquia Account Manager who will can guide you on how to get additional resources.
Cloud Platform