Skip Navigation

Self-hosted Content-Security-Policy report, etc, collector/displayer?

tl;dr: self-hosted report-uri.com ?

I messed up my site's Content-Security-Policy and blew up my report quota on report-uri.com last month. I'm happy with them, but I don't really want to pay for this service, and I want to avoid that in the future. So I'm looking for something(s) to:

  1. Collect Content-Security-Policy browser reports (go-csp-collector is sufficient here, if not great, as it doesn't support the newer Report-To) and log to JSON (or whatever)
  2. Collect other browser reports such as NEL, Deprecation, Crash and log to JSON
  3. Collect SMTP-TLS and DMARC email reports and log to JSON
  4. Display them somehow for searching and for seeing trends: preferably something less manual than Grafana, but I can collect the logs and do custom dashboards in Grafana that parse JSON (or whatever) logs if I need to.
  5. Let me filter incoming reports based on various things (like ignore CSP reports with no URL)

In my searches I found plenty of SaaS and no source code for the whole thing. Sentry and its clones are too much; I don't want to instrument an app I don't have. I did find plenty of 5-year old abandoned projects, though.

So, what's out there in this space for self-hosting?

For reference, report-uri.com looks like the below, with the ability to drill down and filter and see reports.

1
1 comments