Detect Content Security Policy (CSP) violations with Raygun

A Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to the distribution of malware.

Whilst blocking attacks is important, it is also useful to be notified of attacks when they happen. A breach could bring your organization to a halt — from broken webpages to data breaches.

Raygun Crash Reporting now supports capturing CSP violations. You can now configure the reporting API to send violation reports to Raygun and we’ll transform them into a detailed crash report. Your team will gain unrivaled detail into the violation diagnostics so you can be alerted to issues quickly, and resolve them faster with diagnostic details including which page and even the customer that was affected.

You can also provide a deep level of customization to your crash report using Raygun’s best out of the box features.

User tracking

Providing user information will allow your Raygun dashboard to display the number of unique users that each CSP violation has affected. This is a huge help with prioritizing issues to solve that have the largest impact. (Please review your company’s privacy policy.)

Tags

When a CSP violation is recorded, Raygun automatically tags the report with the violating directive, blocked host, and a CSP tag. If the default tags are not enough, you can also add custom tags to your CSP reports.

Custom data

You can insert key-value custom data to your CSP reports by appending a customData query string parameter to the report URI that represents a URL encoded JSON object.

Version numbering

The version number of your application can be appended to any CSP reports by appending a version query string parameter to the report URI that represents a URL encoded string.

Getting started

To integrate Raygun and CSP, you’ll need to test and refine your policy before setting it to be enforced by the browser.

Content-Security-Policy-Report-Only: default-src 'none'; form-action 'none'; frame-ancestors 'none'; report-uri https://report-to-api.raygun.com/reports-csp?apikey=<YOUR-API-KEY>

Note: If you’re already using a Content Security Policy on your website then read how to switch your CSP reporting to Raygun.

Once it’s all configured, if there is a policy, you’ll receive a new notification in your Active errors tab in Crash Reporting. Clicking into the error message will surface all the error instance data.

Choose to be alerted with our Slack integration or by email notifications which contain a summary of the report with all the relevant information:

Raygun sends real-time alerts for CSP violations straight to Slack

Additionally, because the reports come into Raygun as a crash report, you can also use all the standard features of Raygun, like inbound filters, workflows statuses, filtering, assigning to a user or team, merging, and notifications.

Get started capturing CSP violations so that you can prevent and resolve attacks and vulnerabilities. Read the docs to get started.