Administration: Configure reporting

NOTE: The following headers are preconfigured for reporting, you can change the reporting URI, or you can leave the default value.
The default report URI used by the diagnostics HTTP headers profiler is /Sitefinity/Frontend/Diagnostics/HttpHeadersReport 

Following is a list of headers that support reporting:

• Content-Security-Policy-Report-Only
  If you do not want to control the resources used, but only get a report, perform the following:
  
  1. Disable Content-Security-Policy header.
     
  2. Enable Content-Security-Policy-Report-Only header.
     
  3. Configure the response URI of the header in the Http header value field.
     
  4. Save your changes.
     
• Public-Key-Pins-Report-Only
  Perform the following:
  
  1. Disable Public-Key-Pins header.
     
  2. Enable Public-Key-Pins-Report-Only header.
     
  3. Configure the response URI of the header in the Http header value field.
     
  4. Save your changes.
     
• X-XSS-Protection
  Perform the following:
  
  1. Enable the X-XSS-Protection header.
     
  2. Configure the response URI of the header in the Http header value field.

     NOTE: Value 1, entered in the field before the response URI, means the all attacks will be blocked and reported to the configured URI.

After you have configured one or more headers to report activity, you can view the reports.
Perform the following:

1. In Sitefinity CMS backend, navigate to Administration » Diagnostics.
   
2. In the left pane, click HTTP headers warnings.
   A list of warnings appears.
   
3. To check the details, click View details link of the respective warning.