jensdt / go-csp-collector Goto Github PK

This is a content security policy violation collector written in Golang.

It has been designed to listen on port 8080 and accept POST payloads containing the violation report. It captures the report and will write it to STDOUT via Go's logger.

A neat little feature of this tool is that it automatically ignores unactionable reports. Check out the default list if you're interested.

$ go get github.com/jacobbednarz/go-csp-collector

Alternatively, you can download the binaries from the release page.

$ go build csp_collector.go
$ ./csp_collector

You will either need to build within a docker container for the purpose, or use CGO_ENABLED=0 flag to make the build compatible with alpine linux in a docker container.

$ CGO_ENABLED=0 go build csp_collector.go

See the sample.filterlist.txt file as an example of the filter list in a file

Additional information can be attached to each report by adding a metadata url parameter to each report. That value will be copied verbatim into the logged report.

For example a report sent to https://collector.example.com/?metadata=foobar will include field metadata with value foobar.

The output format can be controlled by passing --output-format <type> to the executable. Available formats are:

• Text: A key/value output that quotes all the values. Example: blocked_uri="about:blank" ...
• JSON: Single line, compressed JSON object. Example: {"blocked_uri":"about:blank"}

The default formatter is text.

If you'd rather have these violations end up in a file, I suggest just redirecting the output into a file like so:

$ ./csp_collector 2>> /path/to/violations.log

This project purposely doesn't try to solve the problem of visualing the violation data because there are already a bunch of great solutions out there. Once you have your violations being collected, be sure to slurp them into your favourite log aggregation tool.

Currently supported deployment mechanisms:

• kubernetes/helm