Reporting CSP Errors in Honeycomb With the OpenTelemetry Collector

Observability OpenTelemetry
Reporting CSP Errors in Honeycomb With the OpenTelemetry Collector
Martin Holman

By: Martin Holman |

Observability OpenTelemetry

3 Min. Read

Contents
Guides

Honeycomb & OpenTelemetry for in-depth observability

Honeycomb and OpenTelemetry combine to give you the most detailed and actionable insights into the behavior of your system so you can find incidents quickly, accelerate build cycles, and migrate stress-free.

LEARN MORE

The HTTP Content-Security-Policy response header is used to control how the browser is allowed to load various content types. It is used to control which URLs, fonts, images, scripts, and more can be loaded onto the page. It’s a great defense against XSS (cross-site scripting), clickjacking, and cross-site vulnerabilities. The header can also specify a URL that will be used to send reports on violations of these properties.

Capturing these reports is valuable because it provides visibility into violations of your site’s intended security policies. These reports give you real-time feedback about attempted resource loads or script executions that were blocked by the policy, enabling faster debugging, tighter policy tuning, and enhanced protection of user data. Additionally, analyzing CSP reports can help uncover malicious activity or misconfigurations that might otherwise go unnoticed.

Receiving CSP reports with the webhookevent receiver

If you already have a Collector set up for receiving your frontend telemetry, you can start to receive CSP reports with the following configuration. First, you need to configure your CSP headers to send the reports to the Collector.

'Content-Security-Policy': "img-src 'none'; script-src 'self' 'unsafe-eval'; report-to otel-collector",
'Reporting-Endpoints': 'otel-collector="http://otel-collector.host/csp-reports"',

You also need to configure the Collector to receive these reports. This involves adding a new receiver and creating a new logs pipeline to process them.

receivers:
    webhookevent/csp:
      endpoint: 0.0.0.0:8088
      read_timeout: "500ms"
      path: "/csp-reports"
service:
  pipelines:
    logs/csp:
      receivers: [webhookevent/csp]
      processors: [batch]
      exporters: [otlp]

This gives you access to all of the information in your CSP reports.

Honeycomb Ui with CSP report.

Enhancing our CSP report data with the transform processor

This is a great start, but let’s make it even better. The CSP report is a JSON blob and it would be great to query over this data in a more natural manner. Enter the transform processor.

With a few extra lines in your Collector configuration, you can make this data much better. Add the transform processor and plug it into the CSP pipeline that you create above.

processors:
  transform/csp:
    log_statements:
      - statements:
        - merge_maps(log.attributes, ParseJSON(log.body), "upsert")
service:
  pipelines:
    logs/csp:
      receivers: [webhookevent]
      processors: [batch, transform/csp]
      exporters: [otlp]

Now, you can slice and dice your CSP report data more easily!

Continuous improvements

In this short blog post, you learned how to report CSP errors in Honeycomb thanks to the wonderful transform processor and the Collector. If you’d like to learn more about OpenTelemetry, download Austin Parker’s free whitepaper: The Director’s Guide to Observability: Leveraging OpenTelemetry in Complex Systems.

Martin Thwaites also wrote a great series on OpenTelemetry best practices that you can access here:

OpenTelemetry Best Practices #1: Naming
OpenTelemetry Best Practices #2: Agents, Sidecars, Collectors, Coded Instrumentation
OpenTelemetry Best Practices #3: Data Prep and Cleansing

Happy learning!

x icon linkedin icon youtube icon facebook icon
Don’t forget to share!
Martin Holman

Martin Holman

Staff Software Engineer

Martin is a software engineer who loves to build cool shit that people love. He’s spent most of his time at small startups wearing many hats. In his spare time you can find him playing in the mountains.

Related posts

How Much Should I Be Spending On Observability?

Charity Majors |

How Much Should I Be Spending On Observability?

In last week’s piece, we talked about some of the factors that are driving costs up, both good and bad, and about whether your observability bill is (or should be) more of a cost center or an investment. In this piece, I’m going to talk more in depth about cost drivers and levers of control.

Observability Sampling
Data Strategy for SREs and Observability Teams

Irving Popovetsky |

Data Strategy for SREs and Observability Teams

The idea that telemetry data needs to be managed, or needs a strategy, draws a lot of inspiration from the data world (as in, BI and Data Engineering). Your company most likely has a data team that manages the data warehouse(s), data pipelines, data sources, and reporting tools. These teams are also constantly balancing costs with their user and stakeholder needs, usability, data retention, granularity, etc. Sound familiar? That’s because if you’re working on observability data, these teams are at least several years ahead of you in addressing these tradeoffs and considerations—and can teach us quite a lot. 

Observability Sampling Software Engineering
How Much Should I Be Spending On Observability?

Charity Majors |

How Much Should I Be Spending On Observability?

In 2018, I dashed off a punchy little blog post in which I observed that teams with good observability seemed to spend around ~20-30% of their infra bill to get it. I also noted this was based on absolutely no data, only my own experiences and a bunch of anecdotes, heavily weighted towards startups and the mid-market tech sector.

Observability