Appending data to Report-To header

elad · November 20, 2023, 1:42pm

Hi,

I noticed that Cloudflare is adding it’s own “Report-To” header to all responses coming back from my proxied URL. The value of the “Report-To” header looks like this:

{
	"endpoints": [
		{
			"url": "https://a.nel.cloudflare.com/report/......"
		}
	],
	"group": "cf-nel",
	"max_age": 604800
}

I want to add my own endpoint group (for CSP reporting) to this header, so it will end up looking like this when coming back to the client:

{
	"endpoints": [
		{
			"url": "https://a.nel.cloudflare.com/report/......"
		}
	],
	"group": "cf-nel",
	"max_age": 604800
},
{
	"endpoints": [
		{
			"url": "https://mydomain.com/csp-report"
		}
	],
	"group": "csp-report-to",
}

I figured I can do this with a Transform Rule of type “Modify Response Header” and then choose “Set Dynamic” for the header value.

However I could not figure out from the documentation what/how expression to write in order to append data to an existing header.

Can anyone help?

Kindest Regards,
Elad.

lyles-sutherland · November 27, 2023, 2:37pm

I am having the exact same issue and would love some assistance.

I tried implementing my CSP header with just “report-to ” as per https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only but not having any luck.

elad · November 27, 2023, 4:19pm

Afaik report-to directive has been deprecated in favor of report-uri in modern browsers

lyles-sutherland · November 27, 2023, 4:48pm

I think report-uri is the one thats deprecated in favour of report-to - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri.

elad · November 27, 2023, 9:08pm

My bad, I got them mixed up.

So what did you test with? report-to?
What values did you set for that directive? a group name?

lyles-sutherland · November 28, 2023, 8:40am

So I was trying just
"Content-Security-Policy-Report-Only: default-src 'self' etc; report-to https://myendpoint.com/endpoint.php"

As thats what the Mozilla documentation seemed to think was an option but I’ve not had any success. I suspect that since the group name approach that you’ve outlined is a separate header that Cloudflare adds - its taking precedence. It might be possible to use this “single header solution” if we can disable the separate Report-To header…

lyles-sutherland · November 28, 2023, 9:41am

But the only option for removing this header that I can find by Googling is:

“The report-to header can be removed by emailing Cloudflare support.”

But [email protected] email address is no longer supported so I am stumped.

elad · November 28, 2023, 2:37pm

So I wanted update you that I somehow managed to workaround this issue and I have CSP reporting working against my endpoint.

What I did was instead of trying to manipulate Cloudflare’s “Report-To” header I added another header called: "Reporting-Endpoints” using Transform Rules with this value:

endpoint-1="https://mydomain.com/cspViolationReport”

I also of course added “report-to endpoint-1” to the end of Content-Security-Policy header so it looks like (for example):

Content-Security-Policy: default ’self’; report-to endpoint-1

I am now getting reports of CSP violations to my endpoint.

Hope this help,

Elad.

lyles-sutherland · December 4, 2023, 8:46am

Thanks elad, however I’ve tried this exact set up and I am seeing exactly the headers I want but nothing is coming through to my endpoint. Is your endpoint a URL on the same domain that you are testing or a remote URL?

From the documentation it sounds so simple yet I just don’t receive any JSON.

elad · December 4, 2023, 9:05am

Yes my endpoint is on the same domain I am testing. I am not sure that’s a hard requirement though, I’ve seen people use 3rd party services.

It is annoying the requests aren’t displaying in the browser’s dev tools so it’s very hard to debug.

Maybe try using a local proxy service to see if the CSP reports are actually being sent through?