[SOLVED] Possibility to deactivate db-logging of CSP reports?

muellerbuam · December 17, 2024, 4:57pm

As far as I can see, there is no build-in possibilty to disable the logging of a well-formed CSP report to the database, or am I missing something?
This is a security issue from my point of view, as a customer s website has been offline due to a full database recently (flooded with CSP reports).
Of course there are ways (redirect, htacess, …). But I think it would be nice to create a smarter/more obvious way (in the csp module, …)

ghi · December 17, 2024, 5:22pm

There are a few possibilities to deal with this:

You can create a scheduler task (better: enhance the existing garbage collection task) and regulary clear the reports older than X from your database
The CSP reporting modules are actually Request Middlewares: typo3/cms-backend/csp-report and typo3/cms-frontend/csp-report. You can put this into a sitepackages Configuration/RequestMiddlewares.php file (untested, but this should work):

return [
    'frontend' => [
        'typo3/cms-frontend/csp-report' => [
            'disabled' => true,
      ],
    ],
    'backend' => [
        'typo3/cms-backend/csp-report' => [
            'disabled' => true,
        ],
    ],
];

3.You can use the config option $GLOBALS['TYPO3_CONF_VARS']['FE']['contentSecurityPolicyReportingUrl'] and $GLOBALS['TYPO3_CONF_VARS']['BE']['contentSecurityPolicyReportingUrl'] (see Feature: #99499 - Introduce Content-Security-Policy handling — TYPO3 Core Changelog main documentation) to point to a (non logging / dummy) backend URL

HTH!

pkraume · December 17, 2024, 5:31pm

You could use the table garbage collection task in the scheduler to remove all reports older than X days. Add this to your additional.php.

$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['scheduler']['tasks'][\TYPO3\CMS\Scheduler\Task\TableGarbageCollectionTask::class]['options']['tables']['sys_http_report'] = [
    'dateField' => 'created',
    'expirePeriod' => '7',
];

muellerbuam · December 18, 2024, 1:36pm

Thanks for your answers I was not aware that it is possible to disable middlewares, cool

Concerning “3.” of your answer @ghi : this does not prevent logging using the default url (and thus can still be used to flood the database)

Still I would suggest the logging beeing disabled by default / without any user csp configuration

mabolek · December 20, 2024, 10:03am

I suggest you report this as a bug, so it can be assessed and fixed by the Core Team.