This article takes an honest look at the features of Report URI.
Since you’re on the c/side website, we acknowledge our bias. That said, we’ve built our case honestly and based our analysis on publicly available information, industry information, and our own or our customers' experiences.
If you want to verify their claims yourself, please navigate to their product pages.
| Criteria | c/side | Report URI |
|---|---|---|
| Approaches used | Proxy + agent based detections but also offers crawler and offers a free CSP reporting endpoint |
CSP Reporting Only |
| Real-time Protection | ||
| Full Payload Analysis | ||
| Dynamic Threat Detection | ||
| DOM-Level Threat Detection | ||
| 100% Historical Tracking & Forensics | ||
| Bypass Protection | ||
| Certainty the Script Seen by User is Monitored | ||
| AI-driven Script Analysis | ||
| QSA validated PCI dash | ||
| SOC 2 Type II | ||
| PCI specific UI |
What is Report URI?
Report URI is a reporting platform that collects browser-generated security violation reports and helps teams monitor and fine-tune their web and email security policies. It primarily supports Content Security Policy (CSP) reporting, which is by far the most common use case next to their SMPT email security service.
How Report URI works
Businesses need to configure their HTTP security headers to point to their unique Report URI endpoint. For example, with a Content Security Policy (CSP), they include a report-uri or report-to directive in the header that tells browsers where to send violation data.
CSP is almost entirely what Report URI provides. While a common used security system, it's often not robust enough to handle client-side attacks.
A CSP acts like a firewall which only trusts pre-approved script sources, not their content. Should the source stay the same but the content changes, like in the biggest client-side attack of 2024 – Polyfill – a CSP won’t catch it.
We wrote an in depth article on Why CSP Doesn’t Work in regards to providing the best client-side security solution:
CSP operates on an allow-list model, which permits resources from trusted domains but cannot block individual scripts or resources from those domains.
Report URI doesn’t block anything itself. It just receives reports from the browser and gives teams visibility into violations and misconfigurations. It all relies on native browser behavior.
Report URI also offers email security. SMTP-TLSRPT is a reporting standard that lets mail servers send reports about email transport encryption issues (i.e. STARTTLS failures). If you're using MTA-STS (Mail Transfer Agent Strict Transport Security), browsers or receiving servers can generate reports about delivery failures or downgrade attacks and send them to a specified endpoint.
So just like with CSP for browsers, you add a header (or DNS TXT record) to your mail domain that points to a Report URI endpoint, and it will collect and display those SMTP reports.
Report URI also supports other browser reporting mechanisms like Subresource Integrity (SRI) failures, Network Error Logging (NEL), Cross-Origin policies (COOP and COEP), and deprecated feature usage.
The most adjacent features to c/side would be Report URI Script Watch, which tracks the presence and changes of third-party JavaScript on your site, and Data Watch, which detects when sensitive form fields may be exposed to third-party code.
How c/side goes further
c/side primarily offers a hybrid proxy approach which sits in between the user session and the 3rd party service. It analyzes the served dependencies code in real-time before serving it to the user.
This allows us to not only spot advanced highly targeted attacks and alert on them, c/side also makes it possible to block attacks before they touch the user's browser. It also checks the box for multiple compliance frameworks, including PCI DSS 4.0.1. We even provide deep forensics, including if an attacker bypasses our detections. Allowing you to more tightly scope the size of the incident us to make our detection capabilities better every day. No other vendor has this capability.
We believe this is the most secure way to monitor and protect your dependencies across your entire website. We've spent years in the client-side security space before we started c/side, we've seen it all, this is the only way you can actually spot an attack.
We also offer a free CSP endpoint on top of our product to allow for layering, it's included. With c/side, you basically get the same thing as Report-URI on top for free.
Sign up or book a demo to get started.
FAQ
Q: How does c/side's hybrid proxy differ from Report URI's CSP reporting?
A: The fundamental difference is action versus reporting. Report URI tells you when CSP policies are violated after attacks have already been attempted, but it doesn't prevent them or analyze script content. c/side's hybrid proxy actively intercepts and analyzes every script before it reaches browsers, blocking malicious content in real-time. We provide protection and prevention, not just violation reporting after the fact.
Q: Can attackers bypass c/side's protection like they can with Report URI's approach?
A: No, because c/side's core analysis happens on our proxy, completely invisible to attackers. Report URI doesn't actually provide protection to bypass, it's purely a reporting service that documents CSP violations. Attackers can easily circumvent CSP policies by using legitimate domains or exploiting policy misconfigurations. c/side's proxy-based protection happens before scripts reach browsers, making it impossible for attackers to study or bypass our security mechanisms since they occur server-side.
Q: What forensic evidence does c/side provide compared to Report URI's violation reports?
A: Report URI provides CSP violation reports showing when policies were triggered, but c/side captures the complete malicious payloads that were blocked. This gives you the actual attack code for forensic analysis rather than just a notification that a violation occurred. Incident response teams get replay-ready evidence showing exactly how the attack worked and what data it targeted.
Q: How do compliance capabilities compare between c/side and Report URI?
A: c/side provides comprehensive PCI DSS compliance with both script monitoring and blocking capabilities, while Report URI only offers violation reporting. Our immutable payload archives and security header tracking cover both requirements 6.4.3 and 11.6.1 with the detailed forensic evidence that auditors require. Report URI's approach lacks the prevention and comprehensive documentation needed for full compliance.
Q: Why is c/side's real-time blocking better than Report URI's violation reporting?
A: Real-time blocking prevents attacks before any damage occurs, while violation reporting only documents attacks after they've been attempted. With Report URI, malicious scripts can still execute and steal data even if CSP violations are reported. c/side ensures malicious scripts never reach browsers, providing actual protection rather than just documentation of security policy violations.