Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Middleware for monitoring CSP Violations #19

Open
jrson83 opened this issue Sep 17, 2022 · 1 comment
Open

Middleware for monitoring CSP Violations #19

jrson83 opened this issue Sep 17, 2022 · 1 comment

Comments

@jrson83
Copy link
Contributor

jrson83 commented Sep 17, 2022

With the CSP middleware it is possible to enable reporting of CSP violations to an API endpoint using the legacy v0 Report-To, or v1 Reporting-Endpoints directives (more info). Using the Reporting API, the browser sends a violation report as an HTTP POST request with content type: ['application/json', 'application/csp-report', 'application/reports+json'] to the endpoint.

Would it be possible to create a middleware to setup an API endpoint and listen for incoming reports, like described here in the example for node js, to listen for incoming reports?

// node js example
app.use(
  bodyParser.json({
    type: [
      'application/json',
      'application/csp-report',
      'application/reports+json',
    ],
  })
);
app.post('/__cspreport__', (req, res) => {
  console.log(req.body);
});

Another great example how this could be done found in this blog post Monitoring Content Security.
@oscarotero oscarotero transferred this issue from lumeland/lume Sep 18, 2022
@oscarotero
Copy link
Member

Lume is not intended to be a server-side framework that can handle routers and http apis. The http middleware system is designed to server static files, so maybe the monitoring system should be implemented externally, so the logs can be stored in a database or the filesystem.

If the purpose of this middleware is only to console.log() the incoming reports (so they can be seen in the Logs section of Deno deploy), maybe this functionality could be implemented in the CSP middleware (btw, I've moved this issue to the experimental plugins repo).

To slim down a bit the middleware, I propose the following:

  1. Move the csp builder to a different module, so it can be reused by other projects, not only Lume.
  2. Allow to customize the report URI to be handled by the own middleware.

Imagine something like this (pseudocode):

import { CspOptions, builder } from "https://deno.land/x/csp_builder/mod.ts";

interface Options {
    /** Options to build the CSP headers */
    csp: CspOptions;

   /** To log the incoming reports */
   logReports: boolean;
}

export default function csp(userOptions?: Partial<Options>): Middleware {
  const options = merge(defaults, userOptions);

  return async (request: Request, next: RequestHandler) => {
    if (options.logReports && request.method === "POST" && request.url === options.csp.reportUri) {
        cons json = await request.json();
        console.log(json);
        return new Response();
    }

    const response = await next(request);
    const { headers } = response;
    builder(headers, options.options);
    return response;
  };
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@oscarotero @jrson83