[RUBY] Best way to Report CSP and make it meaningful

I am trying to rollout Content Security Policy for our apps iteratively and I was wondering what is the best practice for CSP reports monitoring in New Relic. I have tried a couple ways to get the data from report-only to New Relic but I am not sure how to make it meaningful and how others use this.

Based on

I am using the ruby agent and here are a couple examples and thoughts.

So I setup an endpoint as follow for report-url to hit

This example is to setup to send all those csp report data as errors in Events. So the following example will send all the attribute as custom params and it will show up under Events -> Errors in https://rpm.newrelic.com/ under APM. Then I can create dashboards and alarms

  def report
    NewRelic::Agent.notice_error('cspReport', :custom_params => JSON.parse(request.raw_post)['csp-report'])
  end

Another way is to send those data as custom event to insights to query as follow. however, we will have to query the event type in insights and will end up with a table. But, I think I can create custom dashboard based on that query and set alarms on it.

  def report
    NewRelic::Agent.record_custom_event('cspReport', JSON.parse(request.raw_post)['csp-report'])
  end

Please let me know or point me to the right direction as to what’s the best practice to monitor CSP reporting.

Thank you so much

@Eric.Fung

I was checking around internally regarding CSP monitoring with New Relic. It looks as though it’s currently unsupported and as such I don’t have advice on what would be best for monitoring CSP. That said I was digging around and I found a community posts that may be helpful:

But that appears to have more to do with Browser rather then APM, so it is likely not what you are looking for. If you are able to get the info you need using the methods mentioned in insights then I recommend whatever one seems to give you the most reliable information.

Is there anything in the works for supporting CSP reporting ??? Seems like everyone could be benefit from that.

I think for now we will log that as an error rather than insights since it’s earlier to look at and monitor directly from APM,

Hey Eric,
This has been a pain point for me as well as NR not only don’t actively support reporting of CSP enforcement and violations, but their auto-injection is absolutely not CSP friendly (due to the auto-injection of occasionally updating JS). Here’s how I handle CSP on my properties:

  • I disable auto-injection of NRUM.js
  • I manually pull the script from the “Add a site” button in Browser and put the script in the HEAD of my document.
    • For most scripts, this is a bad practice, but NRUM has to be there at the document start for accurate timings, and I then use HTTP/2 PUSH so it’s fast enough that it’s non-blocking.
  • My CSP has the origin whitelisted and I include the SRI hash in the script tag.
  • My CSP uses a report endpoint at reporturi.com, which is a fantastic tool made by Scott Helme.

Currently, I’m playing the occasional cat and mouse game of updating the hash when the origin updates, but it’s much less frequent than auto-injection. I’m also working on a transposer system that will pull reports from ReportURI and a couple other sources and puts them in Insights. If I can write it using non-proprietary code, I’m happy to open-source it, but no promises.

2 Likes

Thanks for offering your workaround here @mike13 - We’ll get your thoughts on our CSP unfriendliness sent up to the right folks internally.

hi @RyanVeitch, one thing need to confirm with you,
the abovereport endpoint mentioned by @mike13, do you have the similar function in newrelic ?

Hey @lien - I don’t believe the New Relic Product suite has anything that can match the report uri tool.

It’s has been more than 1 year, we noticed that logging CSP as an error to NR is NOT a good solution because it creates a lot of confusion about errors that we can’t fix and throw off a lot of the error metrics. Some of those CSP errors are caused by browser extensions or other plugins. Our next idea is to log that as a custom event and have another dashboard to keep an eye on it

@Eric.Fung - Thank you so much for following up on this. It sounds like it’s been a frustrating experience, and I appreciate you tracking this down since we don’t have an out of the box answer. I’m curious to hear if the custom event strategy works!