Every script on your site can change without you knowing — a new dependency, a modified file, or a compromised third party. Report URI fingerprints the JavaScript running in your users' browsers and tells you the moment one changes.
The scripts running in your users' browsers come from tag managers, analytics, payment widgets, and libraries you pulled in months ago. Any one of them can change at any time — and when it does, it's your page that runs the new code.
A third-party script gets updated at the source. The version your users load today isn't the one you reviewed. Nothing on your side flagged the change.
British Airways lost £20,000,000 after an attacker edited a single file loading on their site. The code wasn't theirs. The penalty was.
A spreadsheet of approved scripts reflects a moment in time, not what's executing right now. Scripts change continuously. A point-in-time list doesn't.
Report URI captures the integrity metadata of every JavaScript file loading on your site, identifies it against a database of nearly 13,000,000 verified fingerprints, and alerts you the moment anything changes.
Captures integrity metadata directly from the browser to identify each script, verify its fingerprint against our database, and alert you the moment one changes. Detect compromised third- and fourth-party dependencies, spot scripts with known CVEs, and get guidance to patch vulnerable libraries before an attack takes hold.
Monitors every JavaScript dependency across your site and notifies you the moment one changes, moves, or a new one appears. An unexpected new dependency is one of the most reliable early indicators of a Magecart attack in progress.
Without SRI, a browser executes any script it receives — including a tampered one. Integrity Policy surfaces every script missing SRI coverage so you can enforce consistent protection across your whole estate and close the gaps attackers rely on.
Script Watch tells you a script changed. Threat Intelligence tells you whether the source is known to be malicious, drawing on external and internally generated feeds of active threat data.
Report URI uses integrity metadata built into every modern browser. There's no code or agent to deploy — we gather data from the browser loading your page and analyse it over time. Many CDN providers let you enable it straight from their dashboard.
This is client-side security that reads what's already happening in the browser. It adds nothing to your page and can't break what it monitors.
Content-Security-Policy-Report-Only:
script-src 'report-sha256'; report-to default
Two lines of config. No infrastructure changes.
30-day free trial · Two lines of config · No agent · Nearly 13,000,000 verified fingerprints
Report URI identifies every script executing in the browser, verifies it against a known-file database, detects changes as they happen, and produces an audit trail of that activity. That's what it's built to do.
| Report URI covers | Doesn't replace |
|---|---|
| Script fingerprinting and identification | Penetration testing |
| Real-time change and tampering detection | Secure code review |
| SRI coverage enforcement | WAF or edge security |
| Known-CVE dependency detection | Vulnerability remediation |
Tools that promise to do all of it usually inject their own code into your pages — another script, another attack surface. Report URI doesn't. Nothing runs on your behalf, so nothing can break, slow down, or get compromised.
“Report URI has given us the capability to seamlessly build and roll out new Content Security Policies with a high level of confidence. The unopinionated and technology-agnostic nature of Report URI allowed us to integrate it directly and easily into our existing workflows, and to gain instant visibility into CSP reports. With Report URI's Script Watch product, we can meet our obligations under the new PCI DSS v4.0 requirements, in a way that meaningfully helps us monitor and assure the security of key components of the Paddle platform.”
Colin Barr, Head of InfoSec and IT · Paddle