CSP violation report endpoint using Elasticsearch as storage. Basically a https://report-uri.io/ alternative.
It is a Node.js application designed to receive CSP (Content Security Policy) reports and inject them in Elasticsearch for analysis.
- Node application uses http://restify.com/ framework
- The application has been tested in Ubuntu 14.04 LTS and 16.04 LTS (both 64-bit).
- bash : (optional) Scripts to rotate old indexes (indices) in Elasticsearch
- example : (optional) Example of a CSP Report this server is meant to receive
- infrastructure : (optional) Scripts to create the server and services using AWS PowerShell CLI
- nginx : Configuration file for Nginx
- nodejs : Node.js application that gets the CSP Reports and sends them to Elasticsearch
This project was implemented and tested using Amazon AWS services in the following way:
AWS EC2 (Linux) running Nginx and Node.js -> AWS Elasticsearch Service
TLDR;
- Checkout this project in your server
git clone git@github.com:seek-oss/csp-server.git
- Edit
nodejs/config.js
and set the Elasticsearch URL, port and version - Start nodejs application with
nodejs/server.js
node ./nodejs/server.js
This way the Node.js appliation will listen in the configured port and process POST requests containing CSP reports. Each POST will be sent to Elasticsearch into indices named cspdata-YYYYMMDD
Endpoints:
POST
http://localhost:9000/index - CSP report in json formatGET
http://localhost:9000/_healthcheck - health check
For details on how to configure a server to support https (SSL) using Nginx, Node as service using PM2 manager, log rotation and setting up Elasticsearch in AWS continue reading:
In this project we create the AWS resources using AWS CLI.
- EC2 in AWS running Ubuntu - Instructions here: infrastructure
- Elasticsearch in AWS - Instructions here: infrastructure
-
Install Nginx - Instructions here: nginx
-
Install Node - Instructions here: nodejs
-
Configure Elasticsearch - Instructions here: elasticsearch
-
Configure rotation scripts - Instructions here: bash
Get your customers to start sending CSP reports to your server