A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
your in luck, I have been doing this at work.
First have a look at the report header Content-Security-Policy-Report-Only add things you know about, as that will allow you to log what you need to have setup. Then once you have a list of things you know you need, add them and what the logs again. adding in things as you see and verify them.
Also dont just add things in without checking that its in your code, you dont want to add hack-me.com by mistake.
First have a look at the report header Content-Security-Policy-Report-Only add things you know about, as that will allow you to log what you need to have setup. Then once you have a list of things you know you need, add them and what the logs again. adding in things as you see and verify them.
Thank you for this! I feel as if I got the idea however, failed on the execution. I added this to my routers.yml -
contentSecurityPolicyReportOnly: "child-src; connect-src; default-src; font-src; frame-src; img-src; manifest-src; media-src; object-src; script-src; script-src-elem; script-src-attr; style-src; style-src-elem; style-src-attr; worker-src; report-to csp-report"
To my understanding the report-to directive at the end adds a endpoint called /csp-report yet in my testing it doesn’t appear to exist and just leads to 403, I’m likely doing something totally wrong but I appreciate you pointing me in the right direction!
Also dont just add things in without checking that its in your code, you dont want to add
hack-me.comby mistake.
That’s fair, I’m certainly no wiz at programming and this is just self-hosted docker applications that I’ve jerry-rigged to work with one another.
Yeah that's the gist, there need to be something on the end of /csp-report or it won't work.
Will have a look and see if I can make something
Do you happen to know of any self hosted report-ingestion, that allows me to check my csp and somewhat visualize them? I know there are services like report-uri and such, but they do cost a monthly fee and probably also have a privacy impact for my visitors
I have started on a docker image that will allow you to collect the CSP reports 👉 https://github.com/mhzawadi/docker-csp-report
Its not working just yet, will work it this week
I looked in to this a while back and didn't find anything complete. I ended up using a collector and feeding the reports in to my existing Loki and making my own Grafana dashboard.
Sorry I dont, but our devs have some PHP to log requests to a file. On Monday will see if I can get that and make a docker image you can run
Is scripting an option? You could script adding the header.
I started with this in 2021 https://mgdm.net/weblog/csp-logging-with-nginx/
At some point in 2024 i got Claude to take over this management. Now i have an agent that maintains this workflow, and all csp reports are in nginx/json