API endpoint for receiving incident reports from Content Security Policy (CSP), HTTP Public Key Pinning (HPKP), and the HTTP Reporting API.
Project description
A Django-based API endpoint for collecting and processing automatic incident reports send by your visitors’ web browsers. Currently that includes both Content Security Policy (CSP) and HTTP Public Key Pinning (HPKP), but support for additional report types is planned.
Before getting started you should familiarize yourself with the standards and their potential pitfalls (especially HPKP). The risks can be mitigated significantly by using Django Lookout along with report-only policies, which would still allow you to be notified of potential attacks without the risk of accidentally rendering your web site inaccessible.
It’s important to note that Django Lookout only handles the reporting part of the process. Setting the headers which tell browsers what to do, or even where to send reports, is outside its scope. You’ll need to set the report-uri property for CSP and/or HPKP to point to your Django Lookout endpoint.
Install and Configure
Notes
If you’re using HPKP, Django Lookout has to be set up on a different domain name.
Step 1
pip install Django-LookoutAdd the app to your Django project’s settings.py:
INSTALLED_APPS = [
...
'lookout',
...
]Step 2
Add the API endpoint to urls.py.
urlpatterns = [
...
# Django Lookout
url(r'^reporting', include('lookout.urls')),
...
]Notes
You can set the pattern to whatever you want. That’s where you’ll be pointing report-uri.
Be mindful of trailing slashes.
Step 3
Run the database migrations:
./manage.py migrate lookoutUseful Guides
Content Security Policy
HTTP Public Key Pinning
Standards
Support for these standards is planned to be implemented in Django Lookout 1.0.
Out-of-Band Reporting API ✅ A generic incident reporting API that can be used by all of the following standards. Django Lookout automatically converts “legacy” incident reports to the generic schema.
Content Security Policy ✅ Browsers will (optionally) block unauthorized content and send an incident report if a resource is requested which isn’t permitted by the policy.
HTTP Public Key Pinning ✅ Browsers supporting HPKP will (optionally) block connections and send an incident report if the site doesn’t use the specified HTTPS certificate in the future.
Network Error Logging Browsers supporting NEL will send incident reports if a networking error is encountered when requesting content.
Expect-CT Browsers supporting Report-CT will send an incident report if it receives a certificate which doesn’t adhere to Certificate Transparency guidelines.
Expect-Staple Browsers supporting Expect-Staple will send an incident report if a TLS handshake with the site doesn’t include an OCSP response.
Browser Implementation Status
No standards are currently supported across all major browsers, though it’s hoped that the generic reporting API will significantly improve the situation in modern browsers.
Notes
This table only considers a feature supported if it includes reporting functionality.
Internet Explorer is excluded due to the fact that it doesn’t support any of these features via standard headers.
Chrome |
Edge |
Firefox |
Safari |
|
|---|---|---|---|---|
Content Security Policy (CSP) |
Supported |
Supported |
||
HTTP Public Key Pinning (HPKP) |
Not Supported |
|||
Out-of-Band Reporting API |
Not Supported |
Not Supported |
Not Supported |
|
Network Error Logging (NEL) |
Not Supported |
Not Supported |
||
Expect-CT |
? |
? |
||
Expect-Staple |
? |
? |
? |
? |
Tools and Similar Projects
Observatory by Mozilla. General website security testing suite.
securityheaders.io. Testing suite for security-related HTTP response headers.
django-csp-reports. A similar project specifically for CSP reports.
report-uri.io. A commercial service which serves a similar purpose. They also have some useful free testing tools.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
Hashes for Django_Lookout-0.1.1-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 00cb200e7ce6df973f3471da57c10ebc57350d7d2a7bdbd3f64792d05c9c04c1 |
|
| MD5 | c67269342b7e63cc4477dcd2cc51d2ca |
|
| BLAKE2b-256 | b323d4e6ed116e04342258ce8d5e073ed7a4ca95c97710f1d85332b3b3a5f089 |
