How to view content security policy violation reports in rails?

Question

How to view content security policy violation reports in rails?

I used secure_headers gem https://github.com/twitter/secureheaders and I configure csp as

config.csp = { :enforce => true, :default_src => 'http://* inline', :report_uri => "/report", :connect_src => 'self', :style_src => 'self inline', :script_src => 'self inline eval', :font_src => 'self' }

but still I cannot view the reports in my http://localhost:3000/report , and the page does not redirect

+4

browser ruby-on-rails gem content-security-policy

EMR Sep 03 '13 at 7:33

source share

2 answers

oreoshake · Answer 1 · 2013-09-08T22:56:21+0000

EDIT:

https://report-uri.io/ offers CSP reporting capabilities. They give you uri report and they manage incoming reports!

There is currently no built-in support for aggregating / viewing reports in gem. This question got me thinking, so I filed https://github.com/twitter/secureheaders/issues/71

Please add your thoughts. I don’t think the trivial task is to create something meaningful, but I’m starting to understand how valuable it is. There is also a good amount of low hanging fruit, which may be good enough at the moment.

Bjoern zinssmeister · Answer 2 · 2018-03-15T18:32:48+0000

The secure Gem header does not provide a reporting endpoint for CSP violations. This is what you would need to build on your own or use a solution that provides both out of the box.

I published an overview of various ways to deploy a content security policy with Ruby on Rails, including SecureHeaders Gem and Templarbit (including the reporting endpoint): https://www.templarbit.com/blog/2018/03/14/content-security-policy- with-ruby-on-rails

How to view content security policy violation reports in rails?

More articles: