An endpoint to aggregate and analyze CSP violations across your infrastructure. CSP logger is addressed to the ones that daily strive to implement a good CSP, free from 'unsafe-inline' and similar demons.
Implementing a Content Security Policy free of issues and still secure is a pain. Fortunately, the CSP can be configured in a "report only but do not block" mode (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only). With this modality and the directive 'report-uri', it is possible to plan a progressive CSP implementation hardening by monitoring the reports that the browsers of the employees send in the occasion of a violation.
- Essentiality and portability achieved with flask, sqlite and datastore
- Dashboard that provides the capability for searching, filtering, ordering violations by type, timestamp, website, external resource, etc.
- Configurable limits to prevent feature abuses (resource draining, unreliable results by spoofed/crafted logs)
- Implemented with security in mind: hardened profiles for SECCOMP and Apparmor available.
Note: to successfully collect the violations occured from the browsers of the corporate users the endpoint must use a TLS certificate released by an internal Certificate Authority, otherwise the browsers will not send the violations automagically :-).
How it (should) works
- The endpoint is ideally reacheable from every network segment of the company
- The intranet web applications or the corporate web proxies ensure that this header is set in HTTP responses:
Content-Security-Policy-Report-Only: [HERE_THE_HARDENED_POLICY_TO_TEST]; report-uri https://[IP_OF_ENDPOINT]/log
- Users daily navigate the intranet websites without any impact to their work while their browsers send "in background" the violations occured for every single resources loaded (js, css, image, etc.) that would be blocked by the desired CSP configuration.
- Here comes the tricky part: make sense of all the data, addressing the violations per website, figure out if the policy should be deployed in a more permissive configuration or get rid of the resources in a way that ensures usability but also a more secure implementation.
docker pull giuliocomi/csplogger
This endpoint is best suited to run in a docker image deployed in the corporate intranet.
docker run -it -v [LOCAL_VOLUME]:/home/csplogger-agent/csplogger/databases/ giuliocomi/csplogger
Running the container with SECCOMP and Apparmor profiles enabled:
docker run --security-opt="apparmor:docker-csplogger-apparmor" --security-opt seccomp=seccomp-profile-csplogger.json -v [LOCAL_VOLUME]:/home/csplogger-agent/csplogger/databases/ --cpus 1 --memory 512Mb giuliocomi/csplogger
(2) Simple demonstration of logging and analysing CSP violations across the intranet.
Spot a bug? Please create an issue here on GitHub (https://github.com/giuliocomi/csplogger/issues)
This project is licensed under the GNU general public license Version 3.