🐞[Bug]: CSP Report Endpoint Logs Unsanitized Payload Instead of Sanitized Report

[Krishnx21]

Related Area

Frontend

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

The CSP reporting endpoint in web/src/app/api/csp-report/route.ts creates a sanitized version of the incoming CSP report (cspReport) by processing fields such as:

document-uri
referrer
blocked-uri

However, the endpoint later logs the original report object instead of the sanitized cspReport object.

As a result, the sanitization logic is not consistently applied to logged data, and any sensitive information present elsewhere in the CSP payload may still appear in application logs.

This creates an inconsistency between the intended sanitized output and the actual data being logged.

Expected behavior

The endpoint should consistently use the sanitized CSP report object whenever report data is written to logs, ensuring that the sanitization process is effective.

Actual behavior

The original unsanitized report payload is logged, which bypasses the sanitization logic already implemented in the handler.

Steps to Reproduce:-

Submit a CSP violation report containing URLs with query parameters or additional metadata.
Trigger the /api/csp-report endpoint.
Check the server logs.
Observe that the original report object is logged instead of the sanitized report.

Add ScreenShots

No response

What browsers are you seeing the problem on?

chrome

Record

• I have read the Contributing Guidelines
• I'm a GSSOC'24 contributor
• I'm a GSSOC'26 contributor
• I'm a IEEE IGDTUW contributor
• I want to work on this issue

[github-actions]

Thank you for creating this issue! We'll look into it as soon as possible. Your contributions are highly appreciated! 😊

[akshayad2006-cmd]

@SB2318 I would like to contribute under GSSoC
/assign

[pushtikadia]

Hi @SB2318! Logging unsanitized payloads from public CSP reporting endpoints presents a serious security risk for backend log integrity. I'd love to write an input validation filter to sanitize incoming reporting bodies properly before they hit the logging engine. Please assign this bug to me for GSSoC'26!

---

💻 Step 2: Grab the Code

While you leave your comment on whichever issue you like best, you can initialize the codebase locally to look over the directory structure:

git clone https://github.com/SB2318/UltimateHealth.git
cd UltimateHealth

[CodexCasper]

Hi @SB2318,

I’m a GSSoC 2026 contributor and would like to work on this issue.

I reviewed the issue description and understand that the CSP report endpoint is currently logging the original incoming payload instead of the sanitized version, which may expose sensitive or untrusted data in application logs.

I plan to:

• inspect the CSP report handling flow and identify where sanitization is applied,
• verify whether the endpoint logs the raw request payload before or after sanitization,
• update the logging mechanism to consistently use the sanitized report object,
• ensure that sensitive fields and potentially unsafe values are excluded from logs,
• review related logging utilities and middleware for similar inconsistencies,
• add or update tests (if available) to verify that only sanitized reports are logged,
• validate that the change preserves existing CSP reporting functionality without affecting monitoring workflows.

I’ll focus on improving security and log hygiene while maintaining the current behavior of the CSP reporting pipeline.

Please assign this issue to me. Thank you!

[ShreyanshTiwari725]

/assign gssoc'2026

[Krishnx21]

/assign under gssoc 2026