Receiving Content-Security-Policy reports in ColdFusion or Lucee

In order to secure assets such as scripts, styles, media on the site, the Content-Security-Policy header is used. It is handy to mitigate data injection attacks and XSS attacks among others. But once you are here, you probably know this.

The Content-Security-Policy header contains a configuration option that informs the browser where to send policy violation reports. By default, it is not set. You can configure it by adding report-uri directive to your policy, like this:

Content-Security-Policy: default-src 'self'; report-uri https://my.server/my-page-to-collect-reports.cfm

In the example above, I’m asking the browser to send reports to /my-page-to-collect-reports.cfm. The report itself is sent in the request body, so we should pull its contents somehow. The function that provides request data is named GetHttpRequestData() and we want to focus on content variable in the struct returned by this function.

The content variable is provided as a byte array, so we should use toString in order to receive something more useful. Finally, because it is JSON encoded struct, we will use DeserializeJSON.

Here is the sample code of the my-page-to-collect-reports.cfm

reportContents = DeserializeJSON(toString(GetHttpRequestData().content));
// save report contents to the database or to the log

Because this page will be called by the browser, but not displayed anywhere, it is handy to save report contents to the database or log file. Such log should be reviewed regularly, to make sure that there are no blocked assets we want to allow. Especially when we add a new external JS library 🙂