Skip to content

protostartup/django-csp-reports

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

89 Commits

cspreports

cspreports

 
 

.flake8

.flake8

 
 

.gitattributes

.gitattributes

 
 

.gitignore

.gitignore

 
 

.isort.cfg

.isort.cfg

 
 

.travis.yml

.travis.yml

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

runtests.py

runtests.py

 
 

setup.cfg

setup.cfg

 
 

setup.py

setup.py

 
 

tox.ini

tox.ini

 
 

Repository files navigation

Django Content Security Policy Reports

Build Status

A Django app for handling reports from web browsers of violations of your website's content security policy.

This app does not handle the setting of the Content-Security-Policy HTTP headers, but deals with handling the reports that web browsers may submit to your site (via the report-uri) when the stated content security policy is violated.

It is recommended that you use an app such as django-csp (Github) to set the Content-Security-Policy headers.

So What Does This Thing Do?

It receives the reports from the browser and does any/all of the following with them:

  • Logs them using the python logging module.
  • Sends them to you via email.
  • Saves them to the datbase via a Django model.
  • Runs any of your own custom functions on them.
  • Can generate a summary of a reports.

Supported Django Versions

Supports Python 2.7, 3.4 to 3.7 and Django 1.8 to 2.0.

How Do I Use This Thing?

  1. Install this app into your Django project somehow.
  2. Add 'cspreports' to your INSTALLED_APPS.
  3. Include cspreports.urls in your URL config somewhere.
  4. In your Content-Security-Policy HTTP headers, set reverse('report_csp') as the report-uri. (Note, with django-csp, you will want to set CSP_REPORT_URI = reverse_lazy('report_csp') in settings.py).
  5. Set all/any of the following into settings.py as you so desire, hopefully they are self-explanatory:
    • CSP_REPORTS_EMAIL_ADMINS (bool defaults to True).
    • CSP_REPORTS_LOG (bool defaults to True).
    • CSP_REPORTS_LOG_LEVEL (str, one of the Python logging module's available log functions, defaults to 'warning').
    • CSP_REPORTS_SAVE (bool defaults to True). Determines whether the reports are saved to the database.
    • CSP_REPORTS_ADDITIONAL_HANDLERS (iterable defaults to []). Each value should be a dot-separated string path to a function which you want be called when a report is received. Each function is passed the HttpRequest of the CSP report.
    • CSP_REPORTS_LOGGER_NAME (str defaults to CSP Reports). Specifies the logger name that will be used for logging CSP reports, if enabled.
  6. Set a cron to generate summaries.
  7. Enjoy.

Commands

clean_cspreports

Deletes old reports from the database.

Options:

  • --limit - timestamp that all reports created since will not be deleted. Defaults to 1 week. Accepts any string that can be parsed as a datetime.

make_csp_summary

Generates a summary of CSP reports.

By default includes reports from yesterday (00:00:00 to midnight). The summary shows the top 10 violation sources (i.e. pages from which violations were reported), the top 10 blocked URIs (banned resources which the pages tried to load), and the top 10 invalid reports (which the browser provided an invalid CSP report).

Options:

  • --since - timestamp of the oldest reports to include. Accepts any string that can be parsed as a datetime.
  • --to - timestamp of the newest reports to include. Accepts any string that can be parsed as a datetime.
  • --top - limit of how many examples to show. Default is 10.

About

Django app for handling browser reports from Content Security Policy violations

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

2 tags

Packages

No packages published

Languages

  • Python 99.3%
  • Makefile 0.7%