Self-Hosted Content Security Policy (CSP)

This is an experimental feature. This means that features and workflows are not completely tested, so use at your own risk!

Starting with Sentry 23.5.0, it is possible to enable the CSP header on self-hosted Sentry installations. The good news is that Sentry itself supports collecting of CSP reports. We recommend creating a separate Sentry project for CSP reports. To enable CSP and reports collection, you'll want to configure the following settings in sentry.conf.py:

Copied

CSP_REPORT_URI = "https://your-sentry-url-prefix.com/api/{csp-project-id}/security/?sentry_key={sentry-key}"
CSP_REPORT_ONLY = True

We recommend starting with CSP_REPORT_ONLY = True. Once there are no violations under normal use, you can switch it to CSP_REPORT_ONLY = False. This will enforce CSP and all unwanted scripts/resources will be blocked.

If you'd like to allow custom sources, extra CSP keywords can be added. We support the django-csp syntax. For example:

Copied

CSP_SCRIPT_SRC += ["example.com"]

Default CSP_* settings are defined in server.py.

Experimental Configurations

Self-Hosted Reverse Proxy

Help improve this content
Our documentation is open source and available on GitHub. Your contributions are welcome, whether fixing a typo (drat!) or suggesting an update ("yeah, this would be better").

How to contribute | Edit this page | Create a docs issue | Get support