Skip to main content
Version: 8.2405.x.x RR

Content Security Policy Violation logging

Content Security Policy (CSP) is a feature that allows the configuration of which resources can be loaded by the browser. The primary goal of CSP is to mitigate and detect Cross Site Scripting.

To upgrade your configuration with CSP, as a first step, it is recommended to enable the reporting feature of CSP. The CSP reporting can also help in troubleshooting your CSP-related issues.

To make the clients send their CSP violations back to nevisProxy, you need to add the CSP Reporting related response headers and a LuaFilter to receive the report.

The following sample configuration contains both of them:

<!-- ********** filters ************** -->
<!-- ********************************* -->

<filter>
    <filter-name>CSPHeader</filter-name>
    <filter-class>ch::nevis::isiweb4::filter::delegation::HeaderDelegationFilter</filter-class>
    <init-param>
        <param-name>DelegateToFrontend</param-name>
        <param-value>
            Content-Security-Policy-Report-Only:CONST:default-src 'self';; CONST:report-uri /collector.cgi?uri;; CONST:report-to ep1
            Reporting-Endpoints:CONST:ep1="https://<your-nevisProxy's-frontend-side-address>/collector.cgi?to"
        </param-value>
    </init-param>
</filter>
<filter>
    <filter-name>CSPReportCollector</filter-name>
    <filter-class>ch::nevis::isiweb4::filter::lua::LuaFilter</filter-class>
    <init-param>
        <param-name>Script.InputHeaderFunctionName</param-name>
        <param-value>inputHeader</param-value>
    </init-param>
    <init-param>
        <param-name>Script.InputFunctionName</param-name>
        <param-value>input</param-value>
    </init-param>
    <init-param>
        <param-name>Script</param-name>
        <param-value>
            function inputHeader(req, res)
                res:setBody('')
                res:send(200)
            end
            function input(req, res, chunk)
                if chunk ~= nil then
                    trace = req:getTracer()
                    trace:notice('CSP-Report (report-'..req:getQuery()..'): '..chunk)
                end
            end
        </param-value>
    </init-param>
</filter>

<!-- ********** filter mapping ************** -->
<!-- **************************************** -->

<filter-mapping>
    <filter-name>CSPHeader</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
    <filter-name>CSPReportCollector</filter-name>
    <url-pattern>/collector.cgi</url-pattern>
</filter-mapping>

The example above creates the following log entries in navajo.log when a CSP violation occurs:

IW4LuaFlt  ... 5-NOTICE:  CSP-Report (report-uri): {"csp-report":{"blocked-uri":"https://code.jquery.com/jquery-3.6.4.min.js","document-uri":"http://<frontend-address>/","original-policy":"default-src 'self'; report-uri http://<frontend-address>/collector.cgi?uri","referrer":"","violated-directive":"default-src"}}

or

IW4LuaFlt  ... 5-NOTICE:  CSP-Report (report-to): [{"age":11647,"body":{"blockedURL":"https://code.jquery.com/jquery-3.6.4.min.js","disposition":"report","documentURL":"https://<frontend-address>/","effectiveDirective":"script-src-elem","originalPolicy":"default-src 'self'; report-uri /collector.cgi?uri; report-to ep1","referrer":"","sample":"","statusCode":200},"type":"csp-violation","url":"https://<frontend-address>/","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36"}]

depending on what directive the browser support.