Your Content Security Policy is only doing its job if it's the policy you authorised. Policy Watch monitors the CSP you're actually serving and tells you the moment it changes.
Your CSP is the policy that decides what's allowed to run in the browser. It's the enforcement layer underneath your client-side security. And it can change without anyone telling you.
A deploy loosens a directive. A new source gets added to unblock a broken feature. The policy you're serving today isn't the one you signed off on, and nothing flagged it.
Every unsafe-inline, every added domain, every removed restriction widens what's allowed to execute. A weakened CSP doesn't break the site. It just quietly stops protecting it.
When an auditor asks what your policy was three months ago, or an incident review asks when a directive changed, a live header won't answer. You need the history, not just the current state.
Policy Watch watches the policy delivered to real browsers and records every version of it.
Detects every change to your CSP: additions, deletions, modifications. The moment your policy differs from what it was, Policy Watch catches it — no scheduled scan to wait for.
Get an email notification as soon as a change is detected. No scheduled scans, no waiting for the next review cycle. You know when it happens.
View a complete audit of your current and historic policies, including when each was first seen, when it was last seen, and how often it appears on your site.
If you're already sending CSP telemetry to Report URI, you don't need to change anything to use Policy Watch. Enable it with a single click and it starts monitoring the policy you're already serving.
Policy Watch reads the policy you're already sending. It adds nothing to your page and can't break what it monitors.
One click to enable. No changes to your policy.
30-day free trial · One click to enable · No changes to your CSP · Business plan or higher
Policy Watch monitors the CSP that powers Report URI's other client-side security features. These work alongside it:
| Capability | What it adds |
|---|---|
| Script Watch | Real-time alerting on changes to your JavaScript dependencies. |
| Data Watch | Track changes to where your site sends data, in real time. |
| Threat Intelligence | Detect indicators of compromise to know if your site is breached. |
| PCI DSS Compliance | Meet your PCI DSS 4.0 obligations with CSP and Report URI. |
Together, these form the client-side security visibility layer that sits between your CSP policy and your incident response process.