Thinking about building something but it would be handy to know if there's anything out there that does this already.
JakobTheDev
Posted on
Read next
[Announcement]Unlimited Endpoint Backup at Rs. 150 Per Month
Sundeep Grandhi -
[Tips] for Hardening Network Infrastructure
Sundeep Grandhi -
[Announcement] Identifying malicious packages just got a whole lot easier!
Daniel Berman -
Snyk VS Code integration hangs after authentication to Snyk.
Thiam Soon Chew -
Discussion (11)
You need to connect your CSP to send browser reports of violations (blocks).
You can use rapidsec.com that helps you easily generate a good CSP that will block attacks, but allow legitimate parts of your site.
This post was originally asked in the DevSecCon Slack
If you haven't yet done so, you can join here.
Would the
report-uribit of CSP be useful here, or am I misunderstanding?csper.io
The report-uri endpoint of CSP is meant to collect these notifications. This tries to normalize them. I know of a browser plugin being developed to help with this as well. Don't have an ETA
Of course,
report-uritotally makes sense. Thanks, I'll check out csper too 😄There's also report-uri.com/home/tools
Is csp-evaluator.withgoogle.com/ something you've tried?
Thanks, that looks useful! But not quite what I'm after in this case. Part of our manual testing is to open devtools and make sure there are no errors where legitimate content is being blocked due to CSP or mixed-content. It would be handy to automate that as a post-deploy check.
Ah, not come across anything but interested if you find something
It should be pretty straightforward to spin up a headless browser then report on any console errors. I'll keep looking and will post back here if I find anything