Frequently Asked Questions

I'm Scott Helme, an Information Security Consultant and blogger from the UK. You can regularly find me talking about security, privacy and performance on my blog over at I also run another service for analysing the security of your HTTP response headers at
Outside of work I like to keep up to speed on the latest developments in the security industry and this was the main motivation to start my blog. After writing about Content Security Policy and HTTP Public Key Pinning, I noticed that their use wasn't very widespread. Not only that but the reporting feature of these security policies was difficult to implement and get right. was built to make the violation reporting aspect easy and to draw attention to the ease of deploying these security policies with the hope of increasing their usage.
When a site deploys a Content Security Policy or HTTP Public Key Pinning, the browser will enforce the security policies declared by the site. This is great as it offers visitors more protection but the only problem is, the host doesn't know that there's a problem. The browser will block malicious content, such as an XSS attack, but the host wouldn't know anything about it and as such, can't resolve the problem. This is the problem that fixes. With your own unique reporting endpoint the browser can send a violation report to us and you can monitor exactly what is happening on your site. You can see what security policies are being triggered, where and why.
Yes! To make things easy you can use the same reporting address across multiple sites. All reports will still be collected and stored in your account just the same and you can monitor everything from the dashboard for all of your sites! The new filter options allow you to see reports for just a specific site if you want.
Yes! I built this site to be of maximum use to anyone that wanted to implement security reporting and the best way to make it as useful as possible was to make it free. It would be awesome if you'd consider a subscription to help support the service and help keep us going.
The basic features of will always remain free. Those are the ability to create an account, get your own unique reporting endpoint to collect your reports and view basic information and statistics on the reports your site generates. Down the line I may introduce premium features depending on how the site grows or I may just add more features to the free tier. My goal will always be to keep the use of this site free or as cheap as possible.
Any support you can offer to help run would be great! Not only are there financial costs involved in developing and hosting the service but a great deal of time goes in to it too. You can donate via PayPal, Bitcoin 1ScottkY3kbPi6fQEgAaGQoRfz4MxJLGZ or use our DigitalOcean referral link that gets you $10 in free credit!

The site is hosted between 2 cloud providers, DigitalOcean and Microsoft Azure.

DigitalOcean provide fast SSD based hosting from multiple locations around the world. Their virtual servers, called Droplets, are highly flexible and are what is built on. We use Ubuntu and NginX on our load balancer that then proxies requests to several application servers behind it also running Ubuntu, NginX and PHP.

Microsoft Azure offers many services and leverages the scale and performance of Table Storage, a NoSQL key-value store that allows for massive datasets. Without having to worry about sharding, storage capacity or throughput, can scale on demand to suit our needs.

The site is written in PHP and makes use of the incredibly lightweight CodeIgniter MVC framework.
Yes, we use a robust TLS configuration on our load balancers that provides a strong selection of cipher suites allowing for Perfect Forward Secrecy. Coupled with our use of HTTP Strict Transport Security and HTTP Public Key Pinning, we score an A+ rating on the Qualys SSL Test. Take a look here.
The phpass password hashing framework provides all the security for storage of passwords on Taking care of providing a strong salt and allowing us to flexibly control the iteration count required, passwords are safely stored in the database. At present we use 1,024 iterations of the bcrypt cryptographic hashing function.
Your email address is used to identify you when logging in and to send you occasional emails. It is never divulged to anyone and never used for any other purpose.
Your violation reports are stored in your own private database table and are used to generate the graphs and information you see in your account section. They are not used for any other purpose.
Yes! It's your data and you have full control over it. Head to the Settings section in your account and select the Disable Account option. This will completely and irrevocably delete all of your data from our database. We don't keep a single thing.
When visitors to your site generate violation reports, we have access to certain information when they send reports to us. From the User Agent string that their browser provides, we store the name of the browser against the report so you can see which browser generated it, like Chrome or Firefox. We do not store or analyse any other data about your visitors.