Skip to content

An API endpoint which collects reports from Content Security Policy (CSP) and HTTP Public Key Pinning (HPKP)

License

Notifications You must be signed in to change notification settings

rspeed/Django-Lookout

Repository files navigation

Django Lookout logo: a lookout tower Django Lookout

Build Status Test Coverage

Django Lookout is an API endpoint for collecting and processing automatic incident reports send by your visitors' web browsers. Currently that includes both Content Security Policy (CSP) and HTTP Public Key Pinning (HPKP), but support for additional report types is planned.

Before getting started you should familiarize yourself with the standards and their potential pitfalls (especially HPKP). The risks can be mitigated significantly by using Django Lookout along with report-only policies, which would still allow you to be notified of potential attacks without the risk of accidentally rendering your web site inaccessible.

It's important to note that Django Lookout only handles the reporting part of the process. Setting the headers which tell browsers what to do, or even where to send reports, is outside its scope. You'll need to set the report-uri property for CSP and/or HPKP to point to your Django Lookout endpoint.

Install and Configure

See documentation.

Standards

Currently Supported

HTTP Reporting API
A generic incident reporting API that can be used by all of the following standards. Django Lookout automatically converts reports using "legacy" schemas to the generic schema.
Content Security Policy
Browsers will (optionally) block unauthorized content and send an incident report if a resource is requested which isn't permitted by the policy.
HTTP Public Key Pinning
Browsers supporting HPKP will (optionally) block connections and send an incident report if the site doesn't use the specified HTTPS certificate in the future.

Planned Support

These standards are planned to be supported in Django Lookout 1.0:

Network Error Logging
Browsers supporting NEL will send incident reports if a networking error is encountered when requesting content.
Expect-CT
Browsers supporting Report-CT will send an incident report if it receives a certificate which doesn't adhere to Certificate Transparency guidelines.
Expect-Staple
Browsers supporting Expect-Staple will send an incident report if a TLS handshake with the site doesn't include an OCSP response.

Browser Implementation Status

The only standard currently supported across all major browsers is Content Security Policy. It's hoped that the HTTP Reporting API will significantly improve the situation in the future.

Note

This table only considers a feature supported if it includes reporting functionality.

Note

Internet Explorer is excluded due to the fact that it doesn't support any of these features via standard headers.

Standard Chrome Firefox Edge Safari
Content Security Policy (CSP) Supported Supported Supported [1] Supported [2]
HTTP Public Key Pinning (HPKP) Supported [3] Not Supported [4] Not Supported [5] Not Supported
HTTP Reporting API Not Supported [6] Not Supported Not Supported Not Supported
Network Error Logging (NEL) Not Supported [7] Not Supported Not Supported [8] Not Supported
Expect-CT Supported [9] Not Supported [10] ? ?
Expect-Staple ? ? ? ?

Additional Information

Content Security Policy

HTTP Public Key Pinning

Tools and Similar Projects

Footnotes

[1]Supported as of build 15002
[2]Unknown when support was added
[3]Supported as of Chrome 46
[4]No support for report-uri
[5]Under consideration
[6]Complete, but not yet in a production release
[7]In development
[8]Under consideration
[9]Supported as of Chrome 61
[10]Planned

About

An API endpoint which collects reports from Content Security Policy (CSP) and HTTP Public Key Pinning (HPKP)

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published