Content Security Policy isn’t new, but it is so powerful that it still feels like the new hotness. The ability to add a header to HTTP responses that tightens user-agent security rules and reports on violations is really powerful. Adding new security controls to a website and a codebase as large as Yelp needs to be a gradual process. If we apply the new controls all at once, we’ll end up breaking our site in unexpected ways and that’s just not cool. Fortunately, CSP includes a reporting feature – a “lemme know what would happen, but don’t actually do it” mode. By using CSP reporting, Yelp is able to find and fix problems related to new CSP controls before they break our site. It’s easy to read a single CSP report but what if you’re getting thousands of reports a minute? This talk focuses on how Yelp makes sense of CSP reports at scale. Ivan Leichtling leads an amazing team of engineers focused on securing Yelp's visitors, mobile apps, websites, employees, and infrastructure. Ivan holds a BS in Computer Science from the Columbia University School of Engineering and Applied Sciences. Prior to Yelp, Ivan spent a dozen years writing software, building hardware, and leading teams at Microsoft.