logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: trying to set Content-Security-Policy-Report-Only
Author
sailor



Joined: 17 Apr 2015
Posts: 82
Location: US
PostPosted: Wed 04 Aug '21 17:13    Post subject: trying to set Content-Security-Policy-Report-Only Reply with quote
I'm trying to

Code:

Header set Report-To "{'group':'csp-endpoint','max_age':10886400,'endpoints':[{'url':'http://mysub.domain.com/report/rep2.php'}]}"
Header set Content-Security-Policy-Report-Only "default-src 'self'; report-to csp-endpoint"


But alas, it doesn't seem to be reporting. I tried making the single quotes double quotes and escaping to make it \"group\", but that did not work.

I can see the Report-To header is set in response.
Any ideas?
Back to top
sailor



Joined: 17 Apr 2015
Posts: 82
Location: US
PostPosted: Wed 04 Aug '21 21:04    Post subject: Re: trying to set Content-Security-Policy-Report-Only Reply with quote
Two things

1)I came across a page where someone stated they could see in the dev tools -> network tab the request actually go out to the report-uri or report-to. I do not see that.

2) I configured nginx for report-to and now I can see my chrome browser going out to the report-to. But it is forcing https instead of the http that I put in. I don't have an SSL cert for that server. So, will have to look for another server that has https.

But this still doesn't say why Apache does not work with this.
Back to top
tangent
Moderator


Joined: 16 Aug 2020
Posts: 348
Location: UK
PostPosted: Thu 05 Aug '21 13:40    Post subject: Reply with quote
You say in the browser dev tools => network you're not seeing these headers being set in the Apache response.

Have you tried "Header always set" rather than "Header set"?
Back to top
sailor



Joined: 17 Apr 2015
Posts: 82
Location: US
PostPosted: Thu 05 Aug '21 14:38    Post subject: Re: trying to set Content-Security-Policy-Report-Only Reply with quote
Yes, always seems to fix it. I settled on:

Code:

Header always set Content-Security-Policy-Report-Only "report-uri https://mywebsite.com/system/rep_file.php; default-src 'self' data:; form-action 'self' *.example.com; frame-ancestors 'self' *.example.com; base-uri: 'self' *.example.com; block-all-mixed-content; upgrade-insecure-requests"
Back to top


Reply to topic   Topic: trying to set Content-Security-Policy-Report-Only View previous topic :: View next topic
Post new topic   Forum Index -> Apache