Can Has (Minority) Reporting?

Michal Špaček (not me⤴) — @spazef0rze — www.michalspacek.cz

Browser Reporting

Open developer tools (F12, Ctrl/Cmd+Shift+I) and watch the Console and Network tabs. Also use chrome://net-export/ (copy/paste the link) to see "hidden" asynchronous reports in exported logs. See my article about how to read the logs.

1. Content Security Policy report-uri
2. Content Security Policy report-to
3. Content Security Policy Report-Only report-to
4. Crash
5. Deprecation
6. Intervention
7. Network Error Logging 404
8. Network Error Logging TLS cert wrong host
9. XSS Auditor
10. HTTP Public Key Pinning
11. Expect-CT

Certification Authorities

1. Certification Authority Authorization (CAA) iodef in DNS

Email Reporting

1. Domain-based Message Authentication, Reporting and Conformance (DMARC) rua, ruf in DNS
2. SMTP TLS Reporting rua in DNS

Meta

• View your reports
• Your reporting subdomain is brace
• Source code
• All NEL types

Tools

• report-uri.com Browser reporting aggregator ← I work on this one
• hardenize.com Security setting/headers tester ← I don't work on these
• observatory.mozilla.org Another one
• securityheaders.com Yet another one

By Michal Špaček, spazef0rze