How to Set Up report-uri.com on Django2021-01-05
In recent years browsers have gained many powers to report back problems they encounter on your site, such as:
- Network Error Logging (NEL) can report bad HTTP statuses, expired TLS certificates, etc.
- Content Security Policy can report banned resources found on your site.
- Deprecation reports can tell you that you’re using web API’s that will soon be removed.
Browsers send these reports to URI’s listed in specific security headers, including the exiperimental
These are really useful since they can uncover issues that would otherwise go unseen.
A service for collecting, parsing, and making sense of these reports is report-uri.com. It’s run by Scott Helme a security researcher who also made the useful free tool securityheaders.com. It makes a lot of sense to use a separate service for receiving browser reports, since if you have a problem on your own site, it’s likely you’d have problems collecting the reports too!
Yesterday I set up report-uri.com on my new Django project db-buddy.com. Here’s how I did it.
Note: I added the headers from within Django. This makes sense for me since I’m deploying on Heroku and serve all URL’s from Django, including static assets via Whitenoise. If your site is a bit more complicated than this, you might want to add the headers via a wrapping web server, such as nginx, in which case follow the report-uri.com docs.
Adding the Headers
First, I signed up. After the usual account creation I landed on the setup screen. This provides the values to plug into the various headers:
Second, I added the Content Security Policy report. I’m using django-csp to control my CSP header, so this required just one more setting:
Third, I added a middleware to inject two more headers - the generic
NEL for network error logging:
This fit in just after my other security header middleware:
I also added a test, verifying that the middleware worked and I’d copied the JSON from report-uri.com correctly:
Once the above changes were deployed, reports started coming in.
For example here’s a network error report I received from someone testing my
/500/ URL, which demoes the “Internal Server Error” screen:
It’s awesome to see this development in browsers. report-uri.com is a really easy to set up service and I’m looking forward to using it going forwards.
Working on a Django project? Check out my book Speed Up Your Django Tests which covers loads of best practices so you can write faster, more accurate tests.
One summary email a week, no spam, I pinky promise.
- How to Score A+ for Security Headers on Your Django Website
- Scoring A+ for Security Headers on My Cloudfront-Hosted Static Website
© 2021 All rights reserved.