For a couple of years security pros have browser tools to combat Web page cross-site scripting and related attacks. One is called Content Security Policy (CSP), an HTTP header that defines a whitelist of sources (a domain) that any type of content on browser pages can be loaded from.
If an attempt is made to load content from a domain not on the list it doesn’t get through. A similar capability called HTTP Public Key Pinning (HPKP) does much the same thing, allowing admins to define a whitelist of cryptographic identities that the browser should trust for the site
One problem is easily setting up a system leveraging CSP or HPKP to warn administrators an attack is taking place. Scott Helme, a British IT security consultant, has started a free service to do that.
Called report-uri, he says it was built “to make the violation reporting aspect easy and to draw attention to the ease of deploying these security policies with the hope of increasing their usage.”
Briefly, admins register their sites so JSON-formatted violation reports are forwarded to report-uri.io. There administrators can monitor the reports in real time, seeing what security policies are being triggered, where and why. No other customer or Web site data is collected.
Helme says his service solves the problems of receiving, storing and querying reports on premise. Reports show the type of violation (CSP or HPKP), the data, the URI and the blocked URI and its raw code. Graphs are available as well. A Top 10 section allows admins to see which pages on their site are the worst offenders and what the majority of violations are being caused by.
Registration is free for basic features, including collecting and viewing reports. In the future, Helme says, he may charge for premium features.