How to Enforce a Content Security Policy

A brief walkthrough on setting Content Security Policy options in Web Controls

Web Controls enable site administrators to use pre-defined, pre-tested security or performance rulesets based on their e-commerce application, minimizing the need to discover, define, and maintain the rules themselves. You can create individual rules that match request conditions and execute a set of actions you define in your Webscale Control Panel.

A powerful Web Control action you can use is the Content Security Policy action.

Configure a Content Security Policy

Click + Add Action to open the Create Action dialog. Click the Select an action.. dropdown to open it and choose Content Security Policy from the list. Then, click Add Directive.. to see the list of available Content Security Policy directives, and choose one from the list.

Webscale Create Action dialog in the control panel showing Content Security Policy

Depending on the directive chosen, you may have to add the specific source or value that applies to the directive. When finished, click the Done button to return to the Edit Web Control screen. You can add more than one action. Note that all actions specified are run, but there is no implied order.

When a condition is met, then all specified actions are applied to the request. You can only choose one final action. Final actions run last; the order of execution of other actions is unspecified and not necessarily in the order displayed.

See Content Security Policy Directives for a list of directives and sources you can choose from.

Content Security Policy Logs

When a content security policy is violated, a log entry is created that contains information about the violation.

Violation report parameters

Parameter Explanation
arrival A timestamp of when the report was received by the Webscale proxy.
blocked_uri The URI of the resource that was blocked from loading by the Content Security Policy. If the blocked URI is from a different origin than the document-uri, then the blocked URI is truncated to contain just the scheme, host, and port.
country Country the request originated from.
disposition Either “enforce” or “report” depending on whether the Content-Security-Policy-Report-Only header or the Content-Security-Policy header is used.
document_uri The URI of the document in which the violation occurred.
effective_directive The directive whose enforcement caused the violation.
host The URL of the application that was requested.
original_policy The original policy as specified by the Content-Security-Policy HTTP header.
peer_address The IP address of the proxy that that received the report.
referrer The referrer of the document in which the violation occurred.
request_address The IP address from which the request originated.
script_sample The first 40 characters of the inline script, event handler, or style that caused the violation.
session_id The ID of the Webscale session that attempted to load the resource that triggered the violation report.
status_code The HTTP status code of the resource on which the global object was instantiated.
useragent The useragent used in the request.
violated_directive The name of the policy section that was violated.

More information about the violation report syntax can be found on the Firefox MDN web docs.

Viewing the Content Security Policy logs

Once here, you can drill down the reports with filters, which are the same as the violation parameters listed above.

For example, the following filter will show you all instances of blocked_uri that contain the string admin:

blocked_uri ~ *admin*

The filter accepts wildcard characters (*) and regular expressions.

Alerting on Content Security Policy violations

You can monitor the Content Security Policy logs and configure a monitor to notify you if a specific Content Security Policy you’ve set is violated.

When logged into the Webscale Control Panel, click the (gear) icon on the upper right, and select Account Settings from the menu. Then click the Monitors tab, which takes you to the Monitors page. Click the Create monitor button to display the following:

Create monitor box in the Webscale Control Panel

Choose the following options:

  • Type: Choose logs.
  • Name: A name to identify the monitor with.
  • Description: A short description of the monitor or it’s purpose.
  • Add Label: Click here to add an existing label that is already applied to a related system resource.
  • Message: The message sent in the notification. This field accepts liquid templates that render to markdown. This markdown is then rendered to HTML in the message sent. The templates differ depending on the monitor context (specified by the label) chosen.
  • Notify: Where to send the notification. This field currently only accepts email addresses, but Webhooks are coming soon.
  • Log Type: Choose csp-reports here.
  • Duration: Set a duration over which to monitor violations, in seconds.
  • Group By: Divides the violations into groups on values of the attribute chosen here. Webscale then evaluates the condition for each group to determine if there are any groups that should cause a notification.
  • Condition: Choose the condition, which must be in outlier(<int>, <float>) form.
  • Filter: Similar to the Traffic Viewer’s filter, but the parameters can only be Content Security Policy violation parameters.

Once configured, you will receive notifications for Content Security Policy log entries that match the above settings.

Further Reading

Have questions not answered here? Please Contact Support to get more help.


Last modified July 16, 2020