I am interested in implementing a Content Security Policy (CSP) for my Node.js application. Mozilla’s docs are rather helpful but I am stuck at how to enable violation reports. I understand the basic premise of how they work (the browser sends a POST request to the specified URL to notify the website of a violation) but could not figure out where to find the JSON document describing the violation in the HTTP request. Perhaps this would have been obvious to someone more familiar with the HTTP spec.
Looking at the W3C draft for CSP, I established that the JSON is contained in a portion of the HTTP called the “entity body”. I still don’t know what the purpose of the entity is (the only mildly useful page I could find on the matter was one from the HTTP spec). I am assuming it the body of the request.
Perhaps more importantly, I cannot find any way to retrieve the contents of the entity body. I thought of using req.header('entity-body') but that doesn’t work as the entity is not a HTTP header. What is it and how to I fetch it?
(Additionally, I tried finding a tutorial on how to implement CSP violation reporting in Node.js and found nothing. I did find one for PHP but it wasn’t particularly helpful, referencing a file_get_contents('php://input') which I don’t have anything similar to in Node.js/Express.)
Any assistance would be greatly appreciated.
It turns out I was over-analyzing things. All you need to do is enable the
express.bodyParser()middleware for express and then fetchreq.bodyin the POST event handler. This retrieves the body of the HTTP request containing the JSON violation report.Enable middleware:
Retrieving violation report: