Actions
Feature #87421
closedEpic #87417: Integrate proper Content Security Policy (CSP) handling
Integrate CSP reporting endpoint
Start date:
2019-01-13
Due date:
% Done:
0%
Estimated time:
PHP Version:
Tags:
Complexity:
Sprint Focus:
Description
In order to monitor CSP violations or misconfigurations and according reporting endpoint has to be integrated.
Documentation:
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri (deprecated, but still supported & used)
Details of mismatches shall be collected and stored in an according log, containing:
- date + time
- remote address (probably configurable concerning GDPR)
- user session related information (probably configurable concerning GDPR)
- violation event (https://www.w3.org/TR/CSP2/#firing-securitypolicyviolationevent-events)
Concerning GDPR it has to be considered that logging also might be used to analyse security incidents which makes it valuable to store additional information like IP addresses.
Updated by Oliver Hader over 2 years ago
- Target version changed from Candidate for Major Version to 12 LTS
Updated by Oliver Hader about 1 year ago
- Related to Feature #87423: Integrate CSP management module added
Actions