Newsletter - May 2026

May has been a busy month at Report URI HQ, with a big push on account security alongside a host of improvements to how we surface threats in your reports. Here's everything we shipped.

Device Bound Session Credentials - Beta 🔐

We've implemented the emerging Device Bound Session Credentials (DBSC) specification, which cryptographically binds your login to a hardware-backed key on your device. This means that even if a session cookie were stolen, it can't be replayed from a different device. It's purely browser-driven, so there's nothing to install, and it's available now behind a beta flag. If you'd like to enable it on your account, reach out to support@ and we'll get you set up.

See and manage every active session 🖥️

You can now see all of your active sessions in one place from your Account Settings, including the device, IP address and when each was last seen. Spot something you don't recognise? You can remotely sign out an individual session, or sign out of every other session at once, all gated behind your password.

A nudge to review your sessions after a credential change 🔑

When you change your password, update your email address or enable two-factor authentication, we'll now prompt you to review your other active sessions if you have any. A link takes you straight to Manage Sessions so you can check everything looks right and sign out anything you don't recognise.

Threat Intelligence on CSP Integrity and Integrity Policy reports 🎯

The Threat Intelligence enrichment you already get on your CSP Reports - indicators of compromise, domain reputation and newly-registered-domain warnings - now extends to your CSP Integrity and Integrity Policy reports too, complete with the grouped filter dropdown to drill straight into flagged reports.

Indicator of Compromise warnings across your Watch products 🚨

Script Watch, Data Watch and Frame Watch alerts will now flag known indicators of compromise, giving you an immediate signal when something suspicious appears in the assets loading on your site.

Redesigned Threat Intelligence filters, with a new "Any" search 🔍️

We've grouped the Threat Intelligence selectors on your reports into a cleaner, easier-to-use dropdown, and added a new "Any" option so you can surface every flagged report in a single click rather than checking each indicator one at a time.

Sharper CSP analysis 🧠

Following on from the deeper policy inspection we introduced last month, Policy Watch now pinpoints specific areas of concern in your Content Security Policy, and your reports carry additional data to help you track down exactly what needs attention. Check your notification emails or head to Policy Watch to see what we've flagged.

Policy Watch tells you when telemetry stops 📭

If one of your policies suddenly stops sending reports, that's often the first sign that something has broken in your deployment. Policy Watch will now alert you when telemetry stops arriving, so a silent failure doesn't go unnoticed.

We've open-sourced our passkeys library 🥷

When we added Passkeys support we forked and modernised the underlying WebAuthn library, bringing in fixes from our penetration test along the way. We've now open-sourced that work as report-uri/passkeys-php - a maintained, security-reviewed library that the wider PHP community can build on.

A new home for your Watch products 🗂️

We've added a dedicated Watch section to the menu, along with a new overview page that gives you an at-a-glance view across all of your Watch products from a single screen.

Per-watcher Exclusions, just landed ✂️

Hot off the press, you can now maintain a per-watcher Exclusions list from a new configuration modal, making it easy to tune each watcher and cut down the noise so you only hear about the things that matter to you.

It's been a fantastic month, and securing your account and sharpening your visibility into threats are themes we'll keep building on through the rest of the year. As always, if you have any ideas or feedback, please do let me know, and if you'd like to join the DBSC beta or any of our other beta features, reach out to support@ to get involved!

Scott Helme,

Founder.