Feature #87421
Epic #87417: Integrate proper Content Security Policy (CSP) handling
Integrate CSP reporting endpoint
Start date:
2019-01-13
Due date:
% Done:
0%
Estimated time:
PHP Version:
Tags:
Complexity:
Sprint Focus:
Description
In order to monitor CSP violations or misconfigurations and according reporting endpoint has to be integrated.
Documentation:
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri (deprecated, but still supported & used)
Details of mismatches shall be collected and stored in an according log, containing:
- date + time
- remote address (probably configurable concerning GDPR)
- user session related information (probably configurable concerning GDPR)
- violation event (https://www.w3.org/TR/CSP2/#firing-securitypolicyviolationevent-events)
Concerning GDPR it has to be considered that logging also might be used to analyse security incidents which makes it valuable to store additional information like IP addresses.
Updated by