Security Policy Reporting
Sentry provides the ability to collect information on Content-Security-Policy (CSP) violations, as well as Expect-CT and HTTP Public Key Pinning (HPKP) failures by setting the proper HTTP header which results in violation/failure to be sent to Sentry endpoint specified in report-uri.
The integration process consists of configuring the appropriate header with your project key’s Security Header endpoint found at Project Settings > Security Headers.
Content-Security-Policy
Content-Security-Policy (CSP) is a security standard which helps prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. It’s enforced by browser vendors, and Sentry supports capturing CSP violations using the standard reporting hooks.
To configure CSP reports in Sentry, you’ll need to send a header from your server describing your policy, as well specifying the authenticated Sentry endpoint:
Content-Security-Policy: ...; report-uri https://o0.ingest.sentry.io/api/0/security/?sentry_key=examplePublicKeyAlternatively you can setup CSP reports to simply send reports rather than actually enforcing the policy:
Content-Security-Policy-Report-Only: ...; report-uri https://o0.ingest.sentry.io/api/0/security/?sentry_key=examplePublicKeyWhen defining your policy it is important to ensure that sentry.io or your self-hosted sentry domain is in your default-src or connect-src policy, or browsers will block requests that submit policy violations.
For more information, see the article on MDN.
Expect-CT
Certificate Transparency (CT) is a security standard which helps track and identify valid certificates, allowing identification of maliciously issued certificates.
To configure reports in Sentry, you’ll need to configure the Expect-CT a header from your server:
Expect-CT: ..., report-uri="https://o0.ingest.sentry.io/api/0/security/?sentry_key=examplePublicKey"For more information, see the article on MDN.
HTTP Public Key Pinning
HTTP Public Key Pinning (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. It’s enforced by browser vendors, and Sentry supports capturing violations using the standard reporting hooks.
To configure HPKP reports in Sentry, you’ll need to send a header from your server describing your policy, as well specifying the authenticated Sentry endpoint:
Public-Key-Pins: ...; report-uri="https://o0.ingest.sentry.io/api/0/security/?sentry_key=examplePublicKey"For more information, see the article on MDN.
Additional Configuration
In addition to the sentry_key parameter, you may also pass the following within the querystring for the report URI:
sentry_environment- The environment name (for example, production). The environment name is case sensitive, can't contain new lines, spaces, or forward slashes. It can't be the string "None" or exceed 64 characters.
sentry_release- The version of the application.
Our documentation is open source and available on GitHub. Your contributions are welcome, whether fixing a typo (drat!) to suggesting an update ("yeah, this would be better").