Django Lookout is an API endpoint for collecting and processing automatic incident reports send by your visitors' web browsers. Currently that includes both Content Security Policy (CSP) and HTTP Public Key Pinning (HPKP), but support for additional report types is planned.
Before getting started you should familiarize yourself with the standards and their potential pitfalls (especially HPKP). The risks can be mitigated significantly by using Django Lookout along with report-only policies, which would still allow you to be notified of potential attacks without the risk of accidentally rendering your web site inaccessible.
It's important to note that Django Lookout only handles the reporting part of the process. Setting the headers which tell browsers what to do, or even where to send reports, is outside its scope. You'll need to set the report-uri
property for CSP and/or HPKP to point to your Django Lookout endpoint.
- HTTP Reporting API
A generic incident reporting API that can be used by all of the following standards. Django Lookout automatically converts reports using "legacy" schemas to the generic schema.
- Content Security Policy
Browsers will (optionally) block unauthorized content and send an incident report if a resource is requested which isn't permitted by the policy.
- HTTP Public Key Pinning
Browsers supporting HPKP will (optionally) block connections and send an incident report if the site doesn't use the specified HTTPS certificate in the future.
These standards are planned to be supported in Django Lookout 1.0:
- Network Error Logging
Browsers supporting NEL will send incident reports if a networking error is encountered when requesting content.
- Expect-CT
Browsers supporting Report-CT will send an incident report if it receives a certificate which doesn't adhere to Certificate Transparency guidelines.
- Expect-Staple
Browsers supporting Expect-Staple will send an incident report if a TLS handshake with the site doesn't include an OCSP response.
The only standard currently supported across all major browsers is Content Security Policy. It's hoped that the HTTP Reporting API will significantly improve the situation in the future.
Note
This table only considers a feature supported if it includes reporting functionality.
Note
Internet Explorer is excluded due to the fact that it doesn't support any of these features via standard headers.
Standard | Chrome | Firefox | Edge | Safari |
---|---|---|---|---|
Content Security Policy (CSP) | Supported | Supported | Supported1 | Supported2 |
HTTP Public Key Pinning (HPKP) | Supported3 | Not Supported4 | Not Supported5 | Not Supported |
HTTP Reporting API | Not Supported6 | Not Supported | Not Supported | Not Supported |
Network Error Logging (NEL) | Not Supported7 | Not Supported | Not Supported8 | Not Supported |
Expect-CT | Supported9 | Not Supported10 | ? | ? |
Expect-Staple | ? | ? | ? | ? |
- Observatory by Mozilla. General website security testing suite.
- securityheaders.io. Testing suite for security-related HTTP response headers.
- django-csp-reports. A similar project specifically for CSP reports.
- report-uri.io. A commercial service which serves a similar purpose. They also have some useful free testing tools.
Footnotes