Metlo CSP Report Listener

Easily build your CSP

---

---

Building a good CSP is hard to do when you have tons of unknown scripts across your web apps. The easiest way to incrementally build your CSP using the report-uri directive and listen for anything that breaks in report only mode. Our CSP Reporter makes this easy by storing all CSP report logs and displaying distinct reports you can add to your policy.

Checkout Metlo API Security for more complete API protection!

Setup

1. Install the Service

You can either use Docker or our Binary to install. You can configure the CSP Report listener with the following env vars:

1. METLO_SECRET_KEY [required] - A secret key to view CSP Reports. Be sure to set this to something secure!
2. METLO_DATA_PATH [default /tmp/metlo_csp/] - Where to store CSP Report data. By default we store it in a tmp folder so change this if you want your data to be persisted.
3. METLO_PORT [default 8080] - The port the service will listen on
4. METLO_LOG_LEVEL [default info] - Set the logging level to debug

Docker Setup

$ docker run -p 8080:8080 --env METLO_SECRET_KEY=<A_RANDOM_STRING> metlo/csp-service

Binary Setup

$ curl https://metlo-releases.s3.us-west-2.amazonaws.com/csp_service_linux_amd64_latest > metlo_csp_service
$ chmod +x metlo_csp_service
$ METLO_SECRET_KEY=<A_RANDOM_STRING> ./metlo_csp_service

Be sure to deploy this service behind a public endpoint so your site can send reports to it. Ping us on discord if you have any questions!

2. Configure Headers

Add the following directive to your CSP Header:

report-uri <METLO_CSP_SERVICE_DOMAIN>

For example your CSP Header might look like this:

Content-Security-Policy: default-src 'self'; script-src https://example.com; report-uri <METLO_CSP_SERVICE_DOMAIN>

If you only want to report violations use the following:

Content-Security-Policy-Report-Only: report-uri <METLO_CSP_SERVICE_DOMAIN>;