CSP violation report endpoint using Elasticsearch as storage. Basically a https://report-uri.io/ alternative.

It is a Node.js application designed to receive CSP (Content Security Policy) reports and inject them in Elasticsearch for analysis.

• Node application uses http://restify.com/ framework
• The application has been tested in Ubuntu 14.04 LTS and 16.04 LTS (both 64-bit).

• bash : (optional) Scripts to rotate old indexes (indices) in Elasticsearch
• example : (optional) Example of a CSP Report this server is meant to receive
• infrastructure : (optional) Scripts to create the server and services using AWS PowerShell CLI
• nginx : Configuration file for Nginx
• nodejs : Node.js application that gets the CSP Reports and sends them to Elasticsearch

This project was implemented and tested using Amazon AWS services in the following way:

AWS EC2 (Linux) running Nginx and Node.js -> AWS Elasticsearch Service

TLDR;

• Checkout this project in your server

git clone [email protected]:seek-oss/csp-server.git

• Edit nodejs/config.js and set the Elasticsearch URL, port and version
• Start nodejs application with nodejs/server.js

node ./nodejs/server.js

This way the Node.js appliation will listen in the configured port and process POST requests containing CSP reports. Each POST will be sent to Elasticsearch into indices named cspdata-YYYYMMDD

Endpoints:

• POST http://localhost:9000/index - CSP report in json format
• GET http://localhost:9000/_healthcheck - health check

For details on how to configure a server to support https (SSL) using Nginx, Node as service using PM2 manager, log rotation and setting up Elasticsearch in AWS continue reading:

In this project we create the AWS resources using AWS CLI.

• EC2 in AWS running Ubuntu - Instructions here: infrastructure
• Elasticsearch in AWS - Instructions here: infrastructure

• Install Nginx - Instructions here: nginx

• Install Node - Instructions here: nodejs

• Configure Elasticsearch - Instructions here: elasticsearch

• Configure rotation scripts - Instructions here: bash

Get your customers to start sending CSP reports to your server

README2.md