> managing changes to the policy and having a reporting endpoint that gives you insights into what is being violated is still difficult.
Is this targeting management at companies with multiple products? As a developer I just use Django Middleware to add this line to all our responses and call it a day:
Setting a CSP header can be simple but managing changes to it can get difficult. Especially as team members add or remove services from the app (Intercom, Google Analytics, etc.)
We also provide a reporting endpoint that captures all violations. Do you currently use a CSP header with a report-uri setting?
Ahh that makes sense. We have an API-driven SPA, so our API is just banned from returning anything fun. But I can see how this becomes an for apps with server-side rendering based on how annoying it is to manage the CSP on our front end.
There is a lot more signal than noise, especially they way we aggregate the security reports. CSP can be deployed in report only mode, which provides a great way to detect how your policy has to come together.
I guess in my mind signal == attacks, but I guess there's also value in having reports when your policy broke things if you don't have other methods for detecting that, or if your integration tests disable CSP.
Is this targeting management at companies with multiple products? As a developer I just use Django Middleware to add this line to all our responses and call it a day:
response['Content-Security-Policy'] = "default-src 'none'"
(Well, we still sanitize all our inputs and have the headers to block XSS reflection, but there's still not much complexity.)