Add one URL.
Ship a real CSP.

Start with a 7-day trial — one project, no credit card, one AI-generated policy included. Five minutes from now your CSP could be doing its actual job.

launching_soon see_how_it_works
7-day trial · one URL · 5 min setup · no credit card
# current
Content-Security-Policy:
default-src 'self' 'unsafe-inline' *;
# ↑ this is not security. this is a coping mechanism.
# csplog
Content-Security-Policy:
default-src 'self';
script-src 'self' https://cdn.jsdelivr.net;
style-src 'self' https://fonts.googleapis.com;
img-src 'self' data: https://i.imgur.com;
connect-src 'self' https://api.stripe.com;
report-uri https://ingest.csplog.io/…;

Three steps. Five minutes. Done.

how_it_works
01

Sign up

https://ingest.csplog.io/api/csp-report?token=YOUR_TOKEN

Create a project, get a unique report URL. That's your setup.

02

Configure

Reporting-Endpoints: csplog="https://ingest.csplog.io/api/csp-report?token=YOUR_TOKEN" Content-Security-Policy-Report-Only: default-src 'self'; report-uri https://ingest.csplog.io/api/csp-report?token=YOUR_TOKEN; report-to csplog;

Both report-uri and report-to are included for full browser coverage. Report-Only means nothing breaks — you're just listening.

03

We analyse

✓ violations flowing
✓ noise filtered

Violations stream in automatically. We strip out browser extension garbage, bots, and AV false positives. When you're ready, one click generates a production-ready CSP with a plain-English explanation per directive.

What you get

features
collect
01

One endpoint. Zero config.

Add a URL to your CSP header. Violations arrive automatically from every browser, every visitor. No SDK, no script tag, no code changes. Works with any stack — if you can set an HTTP header, you're done.

filter
02

Noise filtered by default. Crowdsourced over time.

Browser extensions, antivirus injections, bots — stripped out at the pipeline by default. Add your own patterns when something slips through. The ones that hit across multiple projects get promoted to the shared list everyone sees. Moderated, not automatic — but the input is yours.

generate
03

An AI that writes — and explains — your policy.

Click "Generate policy." Our LLM analyzes your violations, fetches your current header, and produces a new one. Not just rules — a plain-English explanation per directive, warnings about risky additions, and a list of origins it intentionally ignored (and why).

the_problem
01

It's complex.

A Content Security Policy tells browsers which external resources your site is allowed to load. Sounds simple — until you realize you load fonts from Google, scripts from three CDNs, analytics from two providers, a payment iframe from Stripe, and a chat widget you forgot about. Miss one and your site breaks. Add too many and your policy is useless.

02

Violations are polluted.

You set up reporting and immediately your inbox fills with garbage. Browser extensions injecting scripts. Antivirus rewriting pages. Crawlers and bots triggering false positives. Without serious filtering, CSP violation data is unusable.

03

Reporting gets skipped.

Most developers know they need a CSP. But the reporting step — actually collecting and analyzing violations — gets skipped because the tooling is too complex, too expensive, or self-hosted. Only 13% of sites with a CSP have reporting enabled.

04

Compliance is forcing the issue.

PCI-DSS 4.0 (enforced since March 2025) requires merchants to monitor scripts on payment pages. CSP reporting is the recommended approach. The deadline has passed — many companies are still scrambling.

What we get right

what_makes_us_different
policy
01

AI policy generation.

Click once. Get a copy-paste-ready CSP, with a plain-English explanation per directive.

price
02

€7 entry. No asterisks.

Below the €10 no-brainer line. Same features as Trial — just unlocked indefinitely.

noise
03

Noise stripped by default.

Extensions, antivirus, bots — gone before they hit your dashboard. Add your own filters when something slips through.

trial
04

7-day trial. No card.

One per registrable domain. One free LLM generation. Decide after you've seen it work.

Simple pricing. Start with a trial.

pricing
Trial
€0 7 days
One trial per domain.
  • 1 project
  • 10,000 violations / mo
  • 30-day retention
  • 1 AI policy generation (total)
  • Email alerts (planned)
  • No credit card required
launching_soon
recommended Starter
€7 per month
Below the €10 no-brainer line.
  • 1 project
  • 10,000 violations / mo
  • 30-day retention
  • 5 AI policy generations / mo
  • Email alerts (planned)
launching_soon
Professional
€19 per month
For agencies + dev teams.
  • 10 projects
  • 250,000 violations / mo
  • 90-day retention
  • 50 AI policy generations / mo
  • Everything in Starter
  • Slack alerts (planned)
  • API access (planned)
launching_soon

All prices exclude VAT — Paddle adds VAT / sales tax at checkout based on your country. Upgrades are immediate and prorated; downgrades apply at the end of your billing period. Cancel anytime.