Self-Hosted Content Security Policy (CSP)

Starting with Sentry 23.5.0, it is possible to enable the CSP header on self-hosted Sentry installations. The good news is that Sentry itself supports collecting of CSP reports. We recommend creating a separate Sentry project for CSP reports. To enable CSP and reports collection, you'll want to configure the following settings in sentry.conf.py:

Copied
if "csp.middleware.CSPMiddleware" not in MIDDLEWARE:
    MIDDLEWARE = ("csp.middleware.CSPMiddleware",) + MIDDLEWARE
CSP_REPORT_URI = "https://your-sentry-url-prefix.com/api/{csp-project-id}/security/?sentry_key={sentry-key}"
CSP_REPORT_ONLY = True

We recommend starting with CSP_REPORT_ONLY = True. Once there are no violations under normal use, you can switch it to CSP_REPORT_ONLY = False. This will enforce CSP and all unwanted scripts/resources will be blocked.

If you'd like to allow custom sources, extra CSP keywords can be added. We support the django-csp syntax. For example:

Copied
CSP_SCRIPT_SRC += ["example.com"]

Default CSP_* settings are defined in server.py.

You can edit this page on GitHub.