I've been playing with the security headers for this website for the past few days, most notably with the Content-Security-Policy
as well as the Expect-CT
headers.
After having spent a few hours on this, I'm pretty happy with the results !
Source : Observatory by Mozilla
This website runs on a Ghost installation that I keep up-to-date. Since an update might mean that the site will try to load new external resources, the Content-Security-Policy
header might need updating as well.
This header has a report-uri
directive that makes web browsers send json-formatted messages of policy violations they encounter.
There's a great website (Report-URI) that you can use to handle these reports. It allows up to 10.000 reports per month with a free account, which should be enough for a low to mid trafic website once you've setup your initial policy.
However, since I'm all about self-hosting all of the things, I figured I would configure my own report-uri using a php script.