Over the weekend I finalised a major update for https://report-uri.io, my new CSP and HPKP violation reporting service. Designed to make setting up and using your CSP even easier, this update has now been pushed out to the live site. Here are the details.
The first change that you might notice is the new branding on the site! I've gone for a 'flat' design on the logo now and the simpler 2 colour approach ties in exactly with the colours on the site.
The CSP Analyser has also had a few upgrades. It now warns about the use of deprecated directives in the policy, will list both the CSP and CSPRO headers if they are present and has had a few minor bugs fixed where malformed policies resulted in problems with the output.
The CSP Builder has had a major overhaul and is basically brand new. There are loads of features here that I'm quite pleased with and I hope they will make deploying CSP much, much easier. The new tab approach makes the page less 'wall of text' and more 'actually usable'.
The biggest feature that I've added is the ability to import an existing CSP or CSPRO header into the policy builder. This means that if you want to make changes to your existing policy, you don't need to re-configure it from the ground up, wasting time and risking a mistake. Simply enter your domain, select the policy you want to import and then hit Import!
When a policy is imported, or you generate one manually, there is now some feedback in the GUI to indicate which policy directives are in use so you can keep track of what is in effect at a glance. Look for the little tick icon next to the directive to see which ones are being used.
All of the modal popups, accessible via the 'More Info' links, now have additional information to help you understand what each policy directive does and what the possible values are.
Generate a policy
Once you have imported or built your policy, and made any changes you like, you can hit the Generate button to produce your finished CSP header!
The UI will update to reflect any directives you have added or removed and you can continue to make changes to your policy and re-generate it! I want to make it really easy to deploy an effective Content Security Policy and this new policy builder is just the first step.
There have been quite a few changes in the account section and you will notice that the beta banners are now gone. The site has undergone enough testing and has enough users now that I'm happy to remove the 'beta' warning! One of the biggest things that needed to change was to break out CSP and HPKP reports into their own sections. A site is very likely to receive many CSP reports and very few HPKP reports. This resulted in any HPKP reports getting lost in the noise, so now they have their own separate sections, it's much easier to distinguish between them. Unfortunately, due to some technical details I will explain in a subsequent blog, all historic data in the service was wiped to accommodate the change.
The CSP and HPKP sections now have their own sub-menu and I've introduced a menu for the tools available on the site so users don't have to go back out to the main page to use the navigation bar there. All of the same features that were available previously are still there, with the exception that the HPKP section doesn't have a 'Top 10' section as it doesn't really apply to HPKP violations.
With the new layout the CSP and HPKP tables also have much more appropriate headings for the various sections of incoming reports.
There's been quite a few changes in the Settings section in response to some fairly frequently requested features.
Time zone support
Probably the most requested feature was the ability for users to view their incoming reports in their own time zone rather than the default UTC time zone that was being used. You can now select and set your time zone from the Settings page and all report timestamps will be shown correctly for you.
The next biggest thing I noted was users getting in touch asking what certain types of report were. So many CSP violations are created by the inner workings of a browser, extensions, tool bars and other factors that we as a host can't resolve and it was confusing to have so much clutter in the dashboards. The new filters allow a user to remove a lot of the noise and take away reports that we simply can't do anything about like those created by extensions that the visitor has installed. There is more information available for each filter on the 'View Info' link. I've also added a section to allow you to define the hosts you want to collect reports for. This may seem a bit odd at first but we have to remember that your CSP reporting endpoint is public knowledge and available for all to see in your HTTP response headers. There is nothing stopping someone else issuing your reporting endpoint in their policy and flooding you with bogus reports. With the inclusion of the hosts listed here you can now specify the hosts that you want us to collect reports from and we will discard the rest, helping keep your dashboards even more noise free.
Deleting your data
One of the next big concerns that users had was, quite understandably, about their data and what happens to it. Your data is your data and will always remain so. I'm going to update the site with a policy regarding this soon enough, but for now, to demonstrate that it truly is your data, I've implemented a feature to delete it all. This isn't any Ashley Madison kind of data deletion, and there sure as heck isn't any cost for doing so. This is a 'you hit that button and we drop your table there and then' kind of data deletion. Once the table has been dropped your account will be disabled until such a time that you want to start collecting reports again and choose to re-activate it.
Just to clear up some confusion on an existing feature I want to explain a little more on the option to create your own, custom, reporting address for your policy. On the Setup page you can see your own unique reporting address.
This is yours for life and is how we identify which account we should store the incoming reports in. One thing that I thought would be really nice though was if you could set your own custom address, a vanity URL if you will. To set your own URL, simply type the desired value that you'd like to have to have on the end of your address and hit submit. Perhaps you want your name in there, your brand, the name of your site, anything. I simply put ScottHelme into the form, hit submit and claimed my own customised address.
Once you've set a custom address we will instantly start collecting reports that are sent to it. It's worth noting that we will always continue to collect reports sent to your initial address, as the unique identifier you see initially will always be tied to your account, but I'd advise against using that and setting a custom address for your policies instead.
I'd love to hear from you and getting feedback from people using the site is always great. Despite still being relatively new I've had some great emails from people using the service who have found out things about their site that they just didn't know. People are leveraging features of CSP that they didn't know existed and are seeing actual gains from being able to monitor their policy in real-time. If you have any feature suggestions, bug reports or just general feedback then please feel free to get in touch with me. You can use the comments section below, send me a tweet or drop me an email. Setting up a CSP doesn't need to be complicated and you can start with a simple, report only policy, so what are you waiting for?!