Hi all,


Our CSP report is flooding our error log with errors and I wanted to know how can I turn off this report?

João Forte Carvalho wrote:

Hi all,


Our CSP report is flooding our error log with errors and I wanted to know how can I turn off this report?

Hi Joao check if in this page has the information you seek: https://success.outsystems.com/Documentation/11/Managing_the_Applications_Lifecycle/Secure_the_Applications/Apply_Content_Security_Policy


Carlos Lessa wrote:

João Forte Carvalho wrote:

Hi all,


Our CSP report is flooding our error log with errors and I wanted to know how can I turn off this report?

Hi Joao check if in this page has the information you seek: https://success.outsystems.com/Documentation/11/Managing_the_Applications_Lifecycle/Secure_the_Applications/Apply_Content_Security_Policy


It only says how to activate it :/


João Forte Carvalho wrote:

Carlos Lessa wrote:

João Forte Carvalho wrote:

Hi all,


Our CSP report is flooding our error log with errors and I wanted to know how can I turn off this report?

Hi Joao check if in this page has the information you seek: https://success.outsystems.com/Documentation/11/Managing_the_Applications_Lifecycle/Secure_the_Applications/Apply_Content_Security_Policy


It only says how to activate it :/


I'm a little out of the comfort zone but try to remove any entrance on this field:


It replaces with <internal> as soon as I try to save it blank

João Forte Carvalho wrote:

It replaces with <internal> as soon as I try to save it blank

Hello João,


Currently, it doesn't matter what you write in the "Report-to" box, since it will always add the "internal" after, so there's no way to stop reporting, as far as I know.
There's already an idea created for this topic. Check it out and "like" it, to see if Outsystems "listens" to us and gives us a way to fix this problem.

https://www.outsystems.com/ideas/3372/separate-log-for-content-security-policy-reports

regards

Hi João,

Indeed the CSP reporting cannot be turned off AFAIK.

All the reports are being posted via this internal REST API. From there on the CSP violations (meaning: blocked resources) are being written to the Error logs.

I'm just thinking out loud here, but stopping this would mean either disabling the SecurityUtils module via Service Center (which we cannot do since this module is not even listed) or maybe try and block the API calls with firewall software (which I would not recommended since that could lead to possible platform misbehavior and moreover these reports are needed in order to monitor CSP violations).

Anyhow, I agree that it would be better if the logs could be redirected elsewhere. So thanks for sharing the idea Gonçalo, I voted on it :).

Regards,

Nordin