{"id":42885445,"url":"https://github.com/giuliocomi/csplogger","last_synced_at":"2026-01-30T14:48:38.703Z","repository":{"id":122905330,"uuid":"166710500","full_name":"giuliocomi/csplogger","owner":"giuliocomi","description":"A CSP endpoint to aggregate, correlate and analyze report-uri violations across your infrastructure","archived":false,"fork":false,"pushed_at":"2024-03-04T15:59:11.000Z","size":246,"stargazers_count":33,"open_issues_count":0,"forks_count":2,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-03-04T17:52:35.763Z","etag":null,"topics":["apparmor","csp","dashboard","docker","flask","hardened-image","infrastructure","logging","report-uri","seccomp","security-audit","security-tools"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/giuliocomi.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2019-01-20T21:18:29.000Z","updated_at":"2024-03-04T15:59:16.000Z","dependencies_parsed_at":"2024-03-04T17:46:02.239Z","dependency_job_id":"383ce5a0-d460-4052-8214-9ee8d46d4e9b","html_url":"https://github.com/giuliocomi/csplogger","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/giuliocomi/csplogger","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/giuliocomi%2Fcsplogger","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/giuliocomi%2Fcsplogger/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/giuliocomi%2Fcsplogger/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/giuliocomi%2Fcsplogger/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/giuliocomi","download_url":"https://codeload.github.com/giuliocomi/csplogger/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/giuliocomi%2Fcsplogger/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28914826,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-30T12:13:43.263Z","status":"ssl_error","status_checked_at":"2026-01-30T12:13:22.389Z","response_time":66,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["apparmor","csp","dashboard","docker","flask","hardened-image","infrastructure","logging","report-uri","seccomp","security-audit","security-tools"],"created_at":"2026-01-30T14:48:37.793Z","updated_at":"2026-01-30T14:48:38.694Z","avatar_url":"https://github.com/giuliocomi.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# csplogger\nAn endpoint to aggregate and analyze CSP violations across your infrastructure.\nCSP logger is addressed to the ones that daily strive to implement a good CSP, free from 'unsafe-inline' and similar demons.\n\u003cbr/\u003e\n\u003ca href=\"https://raw.githubusercontent.com/empijei/wapty/master/LICENSE\" rel=\"nofollow\"\u003e\u003cimg src=\"https://camo.githubusercontent.com/dcb3a3de32cb31ae6a7edf80d88747f989878809/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c6963656e73652d47504c76332d626c75652e737667\" alt=\"License\" data-canonical-src=\"https://img.shields.io/badge/license-GPLv3-blue.svg\" style=\"max-width:100%;\"\u003e\u003c/a\u003e\n\u003cimg alt=\"Twitter Follow\" src=\"https://img.shields.io/twitter/follow/giulio_comi?label=Follow\u0026style=social\"\u003e\n\n\n## Why\nImplementing a Content Security Policy free of issues and still secure is a pain.\nFortunately, the CSP can be configured in a \"report only but do not block\" mode (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only). With this modality and the directive 'report-uri', it is possible to plan a progressive CSP implementation hardening by monitoring the reports that the browsers of the employees send in the occasion of a violation. \n\n## Features\n1) Essentiality and portability achieved with flask, sqlite and datastore\n2) Dashboard that provides the capability for searching, filtering, ordering violations by type, timestamp, website, external resource, etc.\n3) Configurable limits to prevent feature abuses (resource draining, unreliable results by spoofed/crafted logs)\n4) Implemented with security in mind: hardened profiles for SECCOMP and Apparmor available.\n\nNote: to successfully collect the violations occured from the browsers of the corporate users the endpoint must use a TLS certificate released by an internal Certificate Authority, otherwise the browsers will not send the violations automagically :-).\n\n### How it (should) works\n\n1) The endpoint is ideally reacheable from every network segment of the company\n2) The intranet web applications or the corporate web proxies ensure that this header is set in HTTP responses:\n```\n    Content-Security-Policy-Report-Only: [HERE_THE_HARDENED_POLICY_TO_TEST]; report-uri https://[IP_OF_ENDPOINT]/log\n```\n3) Users daily navigate the intranet websites without any impact to their work while their browsers send \"in background\" the violations occured for every single resources loaded (js, css, image, etc.) that would be blocked by the desired CSP configuration.\n4) Here comes the tricky part: make sense of all the data, addressing the violations per website, figure out if the policy should be deployed in a more permissive configuration or get rid of the resources in a way that ensures usability but also a more secure implementation.\n\n### Installation\n```\ndocker pull giuliocomi/csplogger\n```\n(https://cloud.docker.com/repository/docker/giuliocomi/csplogger/).\n\n### Usage\nThis endpoint is best suited to run in a docker image deployed in the corporate intranet.\n\n```\ndocker run -it -v [LOCAL_VOLUME]:/home/csplogger-agent/csplogger/databases/  giuliocomi/csplogger\n\n```\nRunning the container with SECCOMP and Apparmor profiles enabled:\n```\ndocker run --security-opt=\"apparmor:docker-csplogger-apparmor\" --security-opt seccomp=seccomp-profile-csplogger.json  -v [LOCAL_VOLUME]:/home/csplogger-agent/csplogger/databases/ --cpus 1 --memory 512Mb giuliocomi/csplogger\n```\n\nNow visit http://127.0.0.1:8443/dashboard\n\n\n#### Examples\n\nhttp://127.0.0.1:8443/dashboard\n\n(1) Dashboard\n\n![alt text](https://i.imgur.com/te6WqwG.png)\n\n(2) Simple demonstration of logging and analysing CSP violations across the intranet.\n\n![alt text](https://i.imgur.com/rONO9sb.png)\n\n\n## Issues\nSpot a bug? Please create an issue here on GitHub (https://github.com/giuliocomi/csplogger/issues)\n\n## License\nThis project is licensed under the  GNU general public license Version 3.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgiuliocomi%2Fcsplogger","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgiuliocomi%2Fcsplogger","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgiuliocomi%2Fcsplogger/lists"}