CSP violation reporting
Set up reporting endpoint
add the reporting
middleware to your middleware chain in middleware.js
:
// middleware.jsimport { chainMatch, isPageRequest csp, reporting, strictDynamic, strictInlineStyles,} from '@komw/next-safe-middleware';
const securityMiddleware = [ csp(), strictDynamic(), reporting(),];
export default chainMatch(isPageRequest)(...securityMiddleware);
then, set up the reporting endpoint in pages/api/reporting.js
:
// pages/api/reporting.jsimport { reporting } from "@komw/next-safe-middleware/dist/api";
/** @type {import('@komw/next-safe-middleware/dist/api').Reporter} */const consoleLogReporter = (data) => console.log(JSON.stringify(data, undefined, 2));
export default reporting(consoleLogReporter);
CSP violation reports will be send to this endpoint, both from report-uri
and report-to
directives. The data shape of reports is slightly different between both directives. The API handler parses the data into a discriminated union and passes it to all reporter functions. You can pattern-match the data there with IntelliSense support.
Send violation reports to Sentry
If you use Sentry for monitoring your app, there is a convenient helper sentryCspReporterForEndpoint
to create a reporter, that ingests all CSP violations into your Sentry project:
// pages/api/reporting.jsimport { reporting, sentryCspReporterForEndpoint,} from "@komw/next-safe-middleware/dist/api";
// lookup at https://docs.sentry.io/product/security-policy-reporting/const sentryCspEndpoint = process.env.SENTRY_CSP_ENDPOINT;const sentryCspReporter = sentryCspReporterForEndpoint(sentryCspEndpoint);
export default reporting(sentryCspReporter);
Sentry only supports the data format of the report-uri
directive. It can't
receive violation reports in report-to
format. However, all Chromium-based
browsers send violation reports in report-to
format.
sentryCspReporterForEndpoint
does the necessary conversion, so you will
receive reports from all major browsers in Sentry.