Skip to content

CSP Reporting

In simple terms CSP reporting, is taken CSP violations generated by the browser, and distributing them to a centralised location for storage/visualisation.

Sentry.io

Sentry.io offers a CSP reporting endpoint. If the project is already using Sentry.io for error monitoring this is likely to be a simple, easy addition.

Be aware CSP reports can generate a lot of volume, so watch your quotas if using the SaaS or disk space if self hosting.

https://docs.sentry.io/security-legal-pii/security/security-policy-reporting/#content-security-policy

Sansec Watch

INFO

There was a reason we did not roll this out after testing. I 'think' it may not have supported older version of Magento < 2.4.6?

Sansec watch is a Magento specific CSP reporting endpoint

The benefits being, you are able to manage the csp whitelist via their portal, through simple allow/deny buttons.

As well as providing crowd sourced data on trusted / malicious domains.

https://sansec.io/watch

Integer released the Sansec Watch Module which helps sync the rules between Sansec & Magento.

go-csp-collector

go-csp-collector allows you to integrate CSP logging into your current Observability suite. You can run it locally to your infrastructure, and expose it via your reverse proxy.

You can log either to syslog or file depending on your current setup. Then pick up the generated logs with your existing log shipping application.

Visualisation / Alerting then can be configured within your existing Observability infrastructure whether that's NewRelic, ELK, or LGTM.

https://github.com/jacobbednarz/go-csp-collector