Actions
Feature #87421
closedEpic #87417: Integrate proper Content Security Policy (CSP) handling
Integrate CSP reporting endpoint
Start date:
2019-01-13
Due date:
% Done:
0%
Estimated time:
PHP Version:
Tags:
Complexity:
Sprint Focus:
Description
In order to monitor CSP violations or misconfigurations and according reporting endpoint has to be integrated.
Documentation:
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri (deprecated, but still supported & used)
Details of mismatches shall be collected and stored in an according log, containing:
- date + time
- remote address (probably configurable concerning GDPR)
- user session related information (probably configurable concerning GDPR)
- violation event (https://www.w3.org/TR/CSP2/#firing-securitypolicyviolationevent-events)
Concerning GDPR it has to be considered that logging also might be used to analyse security incidents which makes it valuable to store additional information like IP addresses.
Updated by Oliver Hader about 3 years ago
- Target version changed from Candidate for Major Version to 12 LTS
Updated by Oliver Hader almost 2 years ago
- Related to Feature #87423: Integrate CSP management module added
Updated by Oliver Hader almost 2 years ago
- Status changed from Accepted to Resolved
→ done with #87423
Updated by Oliver Hader 8 months ago
- Related to Task #103934: CSP report-uri is marked as deprecated and should be replaced by report-to and additional Report-To Header added
Actions