Alerting

Rolling out Content Security Policy is not the end of the journey. The policy must be continually monitored and updated. Two main things can happen that require action:

  1. New Features. New Features are added to the website, but content security policy is blocking them
  2. XSS. CSP will report/block on attempted XSS's on your website, but the underlying vulnerabilities must still be fixed

Csper supports alerting for both of those conditions.

Alerting Panel

The alerting panel is available for plan BUSINESS and above projects, it can be found on the sidebar under "Monitoring".

Content Security Policy alerting

Csper's alerting panel

Projects can create multiple alerts with different severities and conditions.

Alerting Conditions

All alerts can filter on a number of conditions: classification, directives, browsers, and browser age.

XSS alert conditions

Sample configuration for detecting XSS's

NEW_REPORT_TYPE

NEW_REPORT_TYPE is fired whenever a received report doesn't look like any previously known reports.

This alert category is useful for detecting XSS attempts.

When searching for XSS's, the following configuration works well:

  • Classifications: source, inline, eval, injected
  • Directives: script-src, object-src
  • Browsers: all, (although you could limit to chrome/firefox if you wanted it to more certain, safari and others can be buggy)
  • Ignore Old Browsers: True

REPORT_SPIKE

REPORT_SPIKE is fired whenever a group of reports receives 20x the normal traffic amount. Specifically, an alert is fired if a report group receives 20x the count in an hour compared to the hourly average for the last 24 hours.

This alert is useful for detecting CSP misconfigurations that are breaking a website.

Reducing False Positives

The best way to reduce false positives is to reduce the scope of the alerts you want. There's a balance between filtering too much, and not enough. For example ignoring old browsers cuts back a lot of noise, but it's possible an XSS's is being attempted on a user with an older browser. This will depend on your organizations security resources and stance.

Alert Events

When an alert condition is met, an email is fired to the supplied email address.

XSS alert email

Sample alert email for attempted XSS

Other notification mechanisms are scheduled for development, but if there's one you'd like, please let us know! support@csper.io.