zae/csp-reporting

CSP Reporting

Maintainers

Details

github.com/Zae/ContentSecurityPolicyReporting

Source

Issues

Installs: 1 911

Dependents: 0

Suggesters: 1

Security: 0

Stars: 2

Watchers: 4

Forks: 1

Open Issues: 1

1.0.0 2023-04-20 09:34 UTC

Requires

Requires (Dev)

Suggests

MIT 5681fe9e3113998c90301505bc6dcaac99b63d5d

  • Ezra Pool <ezra.woop@tsdme.nl>

laravelcsppsr7zaecsp-report

This package is auto-updated.

Last update: 2024-11-20 13:01:49 UTC

README

Latest Version Software License Total Downloads

Catch the policy violations your users generate and store them somewhere

Install

Via Composer

$ composer require zae/csp-reporting

Usage

Configure your csp reports to go to /csp-report.

Laravel

Publish the config file using artisan vendor:publish

#config/csp-report.php

return [
    'persist' => [
        'class' =>  LogCspPersister::class,
        'properties' => [
            'loglevel' => Psr\Log\LogLevel::INFO
        ]
    ],
    'limiter' => [
        'class' => CspCacheLimiter::class,
        'properties' => [
            'key' => 'csp-rate-limiter',
            'maxAttempts' => 1,
            'decay' => 60
        ]
    ],
];

By default the plugin will store the violations in the log, but there is also a BugsnagPersister that will send the violation to bugsnag.

Craft 3

Configure your application to use the Module with the right limiter and persister.

use Zae\ContentSecurityPolicyReporting\Contracts\CspLimiter;
use Zae\ContentSecurityPolicyReporting\Contracts\CspPersistable;
use Zae\ContentSecurityPolicyReporting\Limiters\CspLotteryLimiter;
use Zae\ContentSecurityPolicyReporting\Persisters\BugsnagCspPersister;

return [
    'bootstrap' => [
        'csp-reporting'
    ],
    'components' => [
        'csp-reporting' => [
            'class' => \Zae\ContentSecurityPolicyReporting\Craft\Module::class,
            'components' => [
                CspPersistable::class => static function () {
                    return new BugsnagCspPersister(
                        \Bugsnag\Client::make(getenv('BUGSNAG_API_KEY'))
                    );
                },
                CspLimiter::class => static function () {
                    return new CspLotteryLimiter(5);
                }
            ]
        ],
    ]
]

On high traffic sites the violations might occur often and probably they will all be the same, so the limiter will make sure only a part of the violations will actually be stored.

The properties array will allow you to configurate the handlers.

You can also provide your own classes as long as they implement the right interfaces.

Provided Limiters

  • CspCacheLimiter
  • CspLotteryLimiter

Provided Persisters

  • LogCspPersister
  • BugsnagCspPersister

Testing

$ composer run test

Contributing

Contributions are welcome via pull requests on github.

Credits

License

The MIT License (MIT). Please see License File for more information.