--- title: "Why does my site receive lots of requests to /report-csp-violation?" date: "2023-09-27T16:48:13+00:00" summary: image: type: "article" url: "/acquia-cloud-platform/help/94171-why-does-my-site-receive-lots-requests-report-csp-violation" id: "768014ae-ee89-4688-b418-33929e527c09" --- If your site receives many requests to the **/report-csp-violation** URL, the common cause is that site has been configured to do so, by the Drupal contrib module '**seckit**' ([Security Kit](https://www.drupal.org/project/seckit)).  This module's behavior can be turned off or configured within your Drupal site at **/admin/config/system/seckit**  The **Security Kit** module is meant to improve security. Normally, a site admin that uses this module also knows that they need to continuously monitor and fix the "Violation" reports that are being sent in automatically (by web browsers being used by site visitors) via the **/report-csp-violation** URL which causes the **seckit** module to log each report via Drupal's watchdog system. As an example, here are some of the log entries that can be obtained from the Drupal **watchdog** log: * Example 1: Mar 8 06:30:04 web-12345 mysite[26974]: https://www.mysite.org|1646721004|seckit|ffff:7000:ffff:af14:ffff:47f9:19a1:d2d2|https://www.mysite.org/report-csp-violation|https://www.mysite.org/vaccineswork/what-we-know-about-new-b11529-coronavirus-variant-so-far?gclid=Cj0KCQiA95aRBhCsARIsAC2xvfxuvjWxvm9u3YhWQOW3k-MnpAE0BBy5mMRezOo-r_YcE-wfS6YJQjkaAnijEALw_wcB|0||CSP: Directive script-src-elem violated. Blocked URI: https://platform-api.sharethis.com/js/sharethis.js. Data: stdClass Object Mar 8 06:30:04 web-12345 mysite[26974]: ( Mar 8 06:30:04 web-12345 mysite[26974]:   [document-uri] => https://www.mysite.org/node/1 Mar 8 06:30:04 web-12345 mysite[26974]:   [referrer] => https://www.google.com/ Mar 8 06:30:04 web-12345 mysite[26974]:   [violated-directive] => script-src-elem Mar 8 06:30:04 web-12345 mysite[26974]:   [effective-directive] => script-src-elem { ... snip ... } * Example 2: drupal-watchdog.log:Mar 8 06:31:44 web-12345 mysite[28637]: https://www.mysite.org|1646721104|seckit|111.222.33.44|https://www.mysite.org/report-csp-violation|https://www.mysite.org/|0||CSP: Directive script-src-elem violated. Blocked URI: https://www.gstatic.cn/recaptcha/releases/_exWVY_hlNJJl2Abm8pI9i1L/recaptcha__en.js. Data: stdClass Object Mar 8 06:31:44 web-12345 mysite[28637]: ( Mar 8 06:31:44 web-12345 mysite[28637]:   [document-uri] => https://www.mysite.org/ Mar 8 06:31:44 web-12345 mysite[28637]:   [referrer] => Mar 8 06:31:44 web-12345 mysite[28637]:   [violated-directive] => script-src-elem Mar 8 06:31:44 web-12345 mysite[28637]:   [effective-directive] => script-src-elem { ... snip ... } From the above examples, these report entries tell you that scripts that come from external sources (_platform-api.sharethis.com_ and _www.gstatic.cn_) were blocked by browsers, because your application is sending HTTP CSP headers (either through the seckit module or other methods) that direct the browser to block or allow elements coming from certain external sources.   Ideally, if a site builder is interested in implementing Content-Security-Policy (CSP) directives, they would:  * (A) monitor these warnings being reported  * ... and (B) fix anything that needs to be fixed on the site.  The topic of "what to fix" lies beyond what Acquia Support can assist you with. This would require knowledge of business logic to understand: * Which scripts, fonts, and other page resources that come from external sources should be allowed * How the general Content Security Policy works in modern browsers (using documentation like [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) or many others) * The impact of enabling browsers to send back report to your Acquia-hosted site vs. disabling (and/or sending the reports to a non-Acquia vendor like [https://report-uri.com/](https://report-uri.com/) or other options)  If you do not want to do all of the above, some short-term options are to: * (A) Turn off the self-reporting mechanism of the **seckit** module within your Drupal site at **/admin/config/system/seckit** (remember to clear Drupal and Varnish/CDN caches afterwards) * ... and/or (B) disable the **seckit** module temporarily/completely until you plan your next steps. If you wish to implement CSP directives but feel you need more help, do contact your Acquia Account Manager who will can guide you on how to get additional resources.