Self-hosted Content-Security-Policy report, etc, collector/displayer?
tl;dr: self-hosted report-uri.com
?
I messed up my site's Content-Security-Policy and blew up my report quota on report-uri.com last month. I'm happy with them, but I don't really want to pay for this service, and I want to avoid that in the future. So I'm looking for something(s) to:
- Collect Content-Security-Policy browser reports (go-csp-collector is sufficient here, if not great, as it doesn't support the newer Report-To) and log to JSON (or whatever)
- Collect other browser reports such as NEL, Deprecation, Crash and log to JSON
- Collect SMTP-TLS and DMARC email reports and log to JSON
- Display them somehow for searching and for seeing trends: preferably something less manual than Grafana, but I can collect the logs and do custom dashboards in Grafana that parse JSON (or whatever) logs if I need to.
- Let me filter incoming reports based on various things (like ignore CSP reports with no URL)
In my searches I found plenty of SaaS and no source code for the whole thing. Sentry and its clones are too much; I don't want to instrument an app I don't have. I did find plenty of 5-year old abandoned projects, though.
So, what's out there in this space for self-hosting?
For reference, report-uri.com looks like the below, with the ability to drill down and filter and see reports.
This is something I'm also interested in; if you find something please update us