Epic #87417: Integrate proper Content Security Policy (CSP) handling
Integrate CSP reporting endpoint
In order to monitor CSP violations or misconfigurations and according reporting endpoint has to be integrated.
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri (deprecated, but still supported & used)
Details of mismatches shall be collected and stored in an according log, containing:
- date + time
- remote address (probably configurable concerning GDPR)
- user session related information (probably configurable concerning GDPR)
- violation event (https://www.w3.org/TR/CSP2/#firing-securitypolicyviolationevent-events)
Concerning GDPR it has to be considered that logging also might be used to analyse security incidents which makes it valuable to store additional information like IP addresses.