Feature #87421
Epic #87417: Integrate proper Content Security Policy (CSP) handling
Integrate CSP reporting endpoint
Start date:
2019-01-13
Due date:
% Done:
0%
Estimated time:
PHP Version:
Tags:
Complexity:
Sprint Focus:
Description
In order to monitor CSP violations or misconfigurations and according reporting endpoint has to be integrated.
Documentation:
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri (deprecated, but still supported & used)
Details of mismatches shall be collected and stored in an according log, containing:
- date + time
- remote address (probably configurable concerning GDPR)
- user session related information (probably configurable concerning GDPR)
- violation event (https://www.w3.org/TR/CSP2/#firing-securitypolicyviolationevent-events)
Concerning GDPR it has to be considered that logging also might be used to analyse security incidents which makes it valuable to store additional information like IP addresses.
Updated by Oliver Hader 6 months ago
- Target version changed from Candidate for Major Version to 12 LTS