diff options
author | Ben Burwell <ben@benburwell.com> | 2020-07-14 23:26:54 -0400 |
---|---|---|
committer | Ben Burwell <ben@benburwell.com> | 2020-07-14 23:26:54 -0400 |
commit | 0450d2244d7a6fe7768a75ae5bd09e05a73da7fc (patch) | |
tree | 7e7af48ebb58dc94f3d9e8f5571af1cfdcda4498 | |
parent | a114bd442c7cd0a0b6d6cdff1e2e61ff007e7ac9 (diff) |
-rw-r--r-- | README.md | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/README.md b/README.md new file mode 100644 index 0000000..44b7f0a --- /dev/null +++ b/README.md @@ -0,0 +1,65 @@ +# Prometheus Exporter for Content Security Policy violations + +`csp_exporter` is a web server that listens for reports of [Content Security +Policy][csp] violations and exposes the reports as Prometheus metrics so that +you can incorporate CSP violations into your normal monitoring and alerting +process. + +## How to Use + +First, download and build `csp_exporter`. If you have the Go compiler tools +installed, this should be a familiar process. Either `git clone +https://git.burwell.io/csp_exporter` and run `go build`, or `go get +bnbl.io/csp_exporter`. + +Next, start the server. You'll probably want to run it under some kind of +supervisor depending on your OS. By default, a web server accepting CSP reports +is started on port 80 and a Prometheus metrics server is started on port 9477. +You can override these by setting the `COLLECTOR_BIND_ADDR` and `PROM_BIND_ADDR` +environment variables, respectively. + +Once you have the server running, add the appropriate `report-uri` directive to +your content security policy. For example, you might add the following header to +your HTTP responses: + +``` +Content-Security-Policy: default-src 'none'; report-uri https://csp-exporter.example.com/report/csp/mysite +``` + +Note the `/report/csp/mysite` path. The `csp_exporter` accepts reports sent to +`/report/csp/<app>`, where `<app>` can be any URL path fragment. Whatever the +`<app>` is set to will be included as the value for the `app` label in your +metrics; this allows you to use `csp_exporter` to collect violation reports for +different websites, test different policy versions, etc. + +Finally, configure Prometheus to scrape metrics from `csp_exporter` by adding +something like the following to your `prometheus.yml`: + +```yml +scrape_configs: +- job_name: "csp" + static_configs: + - targets: ["cspexporter.intra.example.com:9477"] +``` + +You will now start to accumulate `csp_violation_reports_total` metrics in your +Prometheus system. The labels are derived from the fields provided in the +violation reports and should allow for very granular queries. If you are not +interested in high granularity or are concerned with recording many discrete +time series, you may want to add a [`relabel_config`][relabel] to your CSP +scrape job to drop some of the labels. + +## Contributing + +Send patches to <ben@benburwell.com>. For instructions about how to mail +patches, see [`git-send-email(1)`][gitsendemail], [the Pro Git book][progit], or +<https://git-send-email.io>. + +## License + +MIT + +[csp]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP +[relabel]: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config +[gitsendemail]: https://git-scm.com/docs/git-send-email +[progit]: https://git-scm.com/book/en/v2/Distributed-Git-Contributing-to-a-Project#_project_over_email |