{"id":1759,"date":"2017-11-26T08:39:31","date_gmt":"2017-11-26T16:39:31","guid":{"rendered":"https:\/\/www.cloudinsidr.com\/content\/?p=1759"},"modified":"2017-11-29T18:46:43","modified_gmt":"2017-11-30T02:46:43","slug":"set-report-uri-prevent-code-injection-attacks","status":"publish","type":"post","link":"https:\/\/www.cloudinsidr.com\/content\/set-report-uri-prevent-code-injection-attacks\/","title":{"rendered":"How to set up Report URI to prevent code injection attacks"},"content":{"rendered":"

A web service called Report URI<\/a>\u00a0can be a great help in creating an HTTP security policy that will protect your web application without compromising its functionality. Here is how to set it up to bolster your defenses against code injection attacks.<\/p>\n

<\/p>\n

Code injection attacks pose a massive danger to any web application that’s exposed to the world. It literally takes minutes after a domain registration for the evildoers to come sniffing around. Chance are, they will keep coming back until the day they break in to vandalize your web application, hijack a user session or steal data some other way.\u00a0By setting HTTP Security Headers, you can reasonably prevent code injection attacks in most cases (for more, read: Fixing your Web Server\u2019s Security Headers: From Hall of Shame to Hall of Fame<\/a><\/em>). A Content Security Policy header can effectively suppress code injection attacks.<\/p>\n

There is no better way to define your content security headers than by using Report URI<\/a>. Here is how to set it up.<\/p>\n

The service allows you to obtain an\u00a0report-uri endpoint for use with the directive Content-Security-Policy-Report-Only to log security incidents that violate your security policy as a result of user interactions with your web application.<\/p>\n

Step 1. Obtain an\u00a0report-uri endpoint\u00a0<\/strong><\/h3>\n

In your web browser, navigate to<\/p>\n

https:\/\/report-uri.com\/<\/a><\/pre>\n
Sign-in to your account and head over to\u00a0the Setup<\/strong> section. From the list of\u00a0report-uri<\/strong> endpoints, select the address titled\u00a0Content-Security-Policy-Report-Only<\/strong>\u00a0and copy it to your clipboard.<\/p>\n
\"For<\/a>
For debugging and testing, use a report-uri endpoint of the type Content-Security-Policy-Report-Only<\/figcaption><\/figure>\n
Next, you will want to enter this address into your web server configuration for your domain, but before the service will start collecting information, you have to do one more thing: define the domains to collect reports for.<\/p>\n
Step 2. Enter eligible domains to collect security incident reports for<\/h3>\n
Navigate to the Filters section. Enter all the domains you want to keep an eye on into the field “Sites to collect reports for”, without the scheme, separated by a space:<\/p>\n
domain1.tld domain2.tld domain3.tld<\/pre>\n
\"Report<\/a>
Report URI: enter eligible domains to collect reports for<\/figcaption><\/figure>\n
The service Report URI is now ready to collect reports\u2014but is your web server ready to ask user agents to submit them?<\/p>\n
Step 3. Configure your web server to use the report-uri endpoint<\/h3>\n
Setting up your web server to use your report-uri endpoint involvs adding a directive to your web server configuration file (see\u00a0How to Create a Content Security Policy to Protect Your Web Application against XSRF\/CSRF\/XFS, Clickjacking and Other Code Injection Attacks<\/em><\/a> for details). After a brief delay, the reports of any incidents that violate your current polity should begin streaming in. You will find them in the CSP section of your Report URI account.<\/p>\n
Create a Content Security Policy to Protect Your Web Application against XSRF\/CSRF\/XFS, Clickjacking and Other Code Injection Attacks<\/a><\/p><\/blockquote>\n