tl;dr: self-hosted report-uri.com ?
I messed up my site's Content-Security-Policy and blew up my report quota on report-uri.com last month. I'm happy with them, but I don't really want to pay for this service, and I want to avoid that in the future. So I'm looking for something(s) to:
- Collect Content-Security-Policy browser reports (go-csp-collector is sufficient here, if not great, as it doesn't support the newer Report-To) and log to JSON (or whatever)
- Collect other browser reports such as NEL, Deprecation, Crash and log to JSON
- Collect SMTP-TLS and DMARC email reports and log to JSON
- Display them somehow for searching and for seeing trends: preferably something less manual than Grafana, but I can collect the logs and do custom dashboards in Grafana that parse JSON (or whatever) logs if I need to.
- Let me filter incoming reports based on various things (like ignore CSP reports with no URL)
In my searches I found plenty of SaaS and no source code for the whole thing. Sentry and its clones are too much; I don't want to instrument an app I don't have. I did find plenty of 5-year old abandoned projects, though.
So, what's out there in this space for self-hosting?
For reference, report-uri.com looks like the below, with the ability to drill down and filter and see reports.
The client has the private key, the server has the corresponding public key in its authorized keys file.
The server is vulnerable to the private key getting stolen from the client.