Skip to content
A CSP endpoint to aggregate, correlate and analyze report-uri violations across your infrastructure
Branch: master
Clone or download
Latest commit 98f3d42 Feb 24, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
static gui improvements, server logic improvements... improvements everywhere Jan 22, 2019
templates removed 'unsafe-inline' in CSP of dashboard because we are not hypocr… Jan 26, 2019
LICENSE Initial commit Jan 20, 2019 Update Feb 24, 2019 removed 'unsafe-inline' in CSP of dashboard because we are not hypocr… Jan 26, 2019 refactoring default values Jan 23, 2019
seccomp-profile-csplogger.json seccomp profile even more hardened by pruning some unnecessary syscalls Feb 24, 2019


An endpoint to aggregate and analyze CSP violations across your infrastructure. CSP logger is addressed to the ones that daily strive to implement a good CSP, free from 'unsafe-inline' and similar demons.


Implementing a Content Security Policy free of issues and still secure is a pain. Fortunately, the CSP can be configured in a "report only but do not block" mode ( With this modality and the directive 'report-uri', it is possible to plan a progressive CSP implementation hardening by monitoring the reports that the browsers of the employees send in the occasion of a violation.


  1. Essentiality and portability achieved with flask, sqlite and datastore
  2. Dashboard that provides the capability for searching, filtering, ordering violations by type, timestamp, website, external resource, etc.
  3. Configurable limits to prevent feature abuses (resource draining, unreliable results by spoofed/crafted logs)
  4. Implemented with security in mind: hardened profiles for SECCOMP and Apparmor available.

Note: to successfully collect the violations occured from the browsers of the corporate users the endpoint must use a TLS certificate released by an internal Certificate Authority, otherwise the browsers will not send the violations automagically :-).

How it (should) works

  1. The endpoint is ideally reacheable from every network segment of the company
  2. The intranet web applications or the corporate web proxies ensure that this header is set in HTTP responses:
    Content-Security-Policy-Report-Only: [HERE_THE_HARDENED_POLICY_TO_TEST]; report-uri https://[IP_OF_ENDPOINT]/log
  1. Users daily navigate the intranet websites without any impact to their work while their browsers send "in background" the violations occured for every single resources loaded (js, css, image, etc.) that would be blocked by the desired CSP configuration.
  2. Here comes the tricky part: make sense of all the data, addressing the violations per website, figure out if the policy should be deployed in a more permissive configuration or get rid of the resources in a way that ensures usability but also a more secure implementation.


docker pull giuliocomi/csplogger



This endpoint is best suited to run in a docker image deployed in the corporate intranet.

docker run -it -v [LOCAL_VOLUME]:/home/csplogger-agent/csplogger/databases/  giuliocomi/csplogger

Running the container with SECCOMP and Apparmor profiles enabled:

docker run --security-opt="apparmor:docker-csplogger-apparmor" --security-opt seccomp=seccomp-profile-csplogger.json  -v [LOCAL_VOLUME]:/home/csplogger-agent/csplogger/databases/ --cpus 1 --memory 512Mb giuliocomi/csplogger


(1) Dashboard

alt text

(2) Simple demonstration of logging and analysing CSP violations across the intranet.

alt text


Spot a bug? Please create an issue here on GitHub (


This project is licensed under the GNU general public license Version 3.

You can’t perform that action at this time.