From 9e5cdbd133528e6454dd0a73b6842fce4c2add2e Mon Sep 17 00:00:00 2001 From: Joe Grandja Date: Wed, 30 Mar 2016 12:12:43 -0400 Subject: [PATCH] Includes a reference to the https://report-uri.io/ service in the CSP and HPKP documentation. Fixes gh-3772 --- docs/manual/src/docs/asciidoc/index.adoc | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/docs/manual/src/docs/asciidoc/index.adoc b/docs/manual/src/docs/asciidoc/index.adoc index 1fe9cad345..6906364bad 100644 --- a/docs/manual/src/docs/asciidoc/index.adoc +++ b/docs/manual/src/docs/asciidoc/index.adoc @@ -3775,16 +3775,20 @@ When the client visits the server again, it expects a certificate containing a p [NOTE] ==== -Because the UA needs to validate the pins against the SSL certificate chain, the HPKP header is only injected into HTTPS responses. +Because the user-agent needs to validate the pins against the SSL certificate chain, the HPKP header is only injected into HTTPS responses. ==== -Enabling this feature for your site is as simple as returning the Public-Key-Pins HTTP header when your site is accessed over HTTPS. For example the following would instruct the browser to only report pin validation failures to a given URI for 2 pins: +Enabling this feature for your site is as simple as returning the Public-Key-Pins HTTP header when your site is accessed over HTTPS. +For example, the following would instruct the user-agent to only report pin validation failures to a given URI (via the https://tools.ietf.org/html/rfc7469#section-2.1.4[*_report-uri_*] directive) for 2 pins: [source] ---- Public-Key-Pins-Report-Only: max-age=5184000 ; pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=" ; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=" ; report-uri="http://example.net/pkp-report" ; includeSubDomains ---- +A https://tools.ietf.org/html/rfc7469#section-3[*_pin validation failure report_*] is a standard JSON structure that can be captured +either by the web application's own API or by a publicly hosted HPKP reporting service, such as, https://report-uri.io/[*_REPORT-URI_*]. + The optional includeSubDomains directive instructs the browser to also validate subdomains with the given pins. Opposed to the other headers, Spring Security does not add HPKP by default. You can customize HPKP headers with the <>> element as shown below: @@ -3969,6 +3973,9 @@ the following response header will instruct the user-agent to send violation rep Content-Security-Policy: script-src https://trustedscripts.example.com; report-uri /csp-report-endpoint/ ---- +https://www.w3.org/TR/CSP2/#violation-reports[*_Violation reports_*] are standard JSON structures that can be captured +either by the web application's own API or by a publicly hosted CSP violation reporting service, such as, https://report-uri.io/[*_REPORT-URI_*]. + The *_Content-Security-Policy-Report-Only_* header provides the capability for web application authors and administrators to monitor security policies, rather than enforce them. This header is typically used when experimenting and/or developing security policies for a site. When a policy is deemed effective, it can be enforced by using the _Content-Security-Policy_ header field instead.