When we use CSP we can enter a log error URL for it, every time that an error occurring, the error with details will be send to the URL and I can log it, is it not dangerous that everybody knows our CSP URL log error ? for example everybody can send fake data to CSP URL log error.
Can we hide it from the public ?

content-security-policy: default-src 'self'; report-uri /api/CspReport/Log

CodePudding user response：

You cannot hide CSP reports endpoint, CSP designers assume it's safe to expose it.

There's no point to spam CSP endpoins, because:

• a properly crafted CSP endpoint checks the domains that are allowed to send reports and rejects fake ones.
• in case of server's spam is used, CSP endpoint can easily block these by IPs.
• if some sites will use hidden script for sending fake reports, reports will be send with visitor's IP. But CSP reports are send with a mandatory referrer field and AFAIK, for CSP this cannot not be disabled in the browser settings. Therefore you can block fake reports via referrer.

Since this kind of spam does not have a ROI (return on investment), no one will waste his resources.

Note: if you are very concerned about, it is possible to organize protection by the type of false targets that scatter aircrafts to protect against missiles.
You can specify a lot of CSP endpoints in the report-uri and only one will real endpoint. The other ones will do nothing and just returns 204 No content or 200 OK as do a real CSP endpoint.

Also for endpoints you can generate a random subdomains in your domain and periodically change it.