Storing Content-Security-Policy reports in elmah.io
This is the third post in a series about ASP.NET security:
- Part 1: Improving security in ASP.NET MVC using custom headers
- Part 2: Content-Security-Policy in ASP.NET MVC
- Part 3: Storing Content-Security-Policy reports in elmah.io
- Part 4: The ultimate guide to secure cookies with web.config in .NET
In the previous post, Content-Security-Policy in ASP.NET MVC, I showed you how to implement the
Content-Security-Policy header. This header is among the more difficult to implement, since you need an overview of all of the dependencies of your web app. I also mentioned the
Content-Security-Policy-Report-Only header, which will show you the blocked resources, but carry on the execution like nothing happened.
Content-Security-Policy-Report-Only header is great, you probably want to run with that in production before actually switching to
Content-Security-Policy. Having real users testing your system with the report header included, is the ultimate test really. The problem here is, that Chrome (and other browsers) as default reports any problems to the console. Since you cannot see each users console, you will need to intercept problems happening in another way.
Would your users appreciate fewer errors?➡️ Reduce errors by 90% with elmah.io error logging and uptime monitoring ⬅️
Say hello to
report-uri is a mechanism built into
Content-Security-Policy, that lets you send all errors, otherwise only shown in the console, to an URL of your choice. While you can develop a REST API that receives these errors, why not use elmah.io? We have developed a simple proxy that does nothing more than receive Content-Security-Policy reports and log them in an elmah.io of your choice. The project is located on GitHub here: Elmah.Io.ContentSecurityPolicy.Proxy.
To set up the proxy, clone the repository and change
API_KEY should match a key found beneath your organization settings and
LOG_ID should be the ID of the log you want to include the reports. Once changed, deploy the service to an IIS, Azure or similar. The proxy is built in ASP.NET Core and therefore deployable pretty much everywhere.
To use the proxy from your web app, add a
report-uri to the
<add name="Content-Security-Policy-Report-Only" value="default-src 'self'; report-uri https://cspreports.azurewebsites.net/reportOnly" />
That's it folks. Reports are now automatically sent to elmah.io:
We monitor your websites
We monitor your websites for crashes and availability. This helps you get an overview of the quality of your applications and to spot trends in your releases.
We notify you
We notify you when errors starts happening using Slack, HipChat, mail or other forms of communication to help you react to errors before your users do.
We help you fix bugs
We help you fix bugs quickly by combining error diagnostic information with innovative quick fixes and answers from Stack Overflow and social media.