Security‎ > ‎

Making Sense of Content Security Policy Reports

posted Sep 9, 2014, 12:49 PM by Chris G

Making Sense of CSP Reports - a great article on Yelp Engineering Blog

CSP is Awesome

Content Security Policy isn’t new, but it is so powerful that it still feels like the new hotness. The ability to add a header to HTTP responses that tightens user-agent security rules and reports on violations is really powerful. Don’t want to load scripts from third party domain? Set a CSP and don’t.  Trouble with mixed content warnings on your HTTPS domain? Set a CSP and let it warn you when users are seeing mixed content. Realistically, adding new security controls to a website and a codebase as large as Yelp needs to be a gradual process. If we apply the new controls all at once, we’ll end up breaking our site in unexpected ways and that’s just not cool. Fortunately, CSP includes a reporting feature – a “lemme know what would happen, but don’t actually do it” mode. By using CSP reporting, Yelp is able to find and fix problems related to new CSP controls before they break our site.

Visualize, monitor, and alert for the win

The Yelp security team is a huge fan of Elasticsearch/Logstash/Kibana.  Like we do with pretty much any log, we throw these CSP reports into our ELK cluster and visualize the results.