CSP report endpoint for monitoring attempted browser policy violations

12034 views

                  class CspReportsController < ActionController::API
  def create
    Rails.logger.warn({
      event: 'csp_report',
      report: params.to_unsafe_h,
      ip: request.remote_ip,
    }.to_json)

    head :no_content
  end
end

I like CSP reporting because it reveals both rollout mistakes and active attack attempts. The endpoint should accept reports quietly, avoid noisy validation failure loops, and forward the data into normal observability systems. Reporting without triage is just another log sink.

Kai Nakamura

More from Kai Nakamura

CSP report endpoint for monitoring attempted browser policy violations

0 Comments

More from Kai Nakamura