Frequently Asked Questions
I'm Scott Helme, an Information Security Consultant and blogger from the UK. You can regularly find me talking about security, privacy and performance on my blog over at scotthelme.co.uk.
Outside of work I like to keep up to speed on the latest developments in the security industry and this was the main motivation to start my blog. After writing about Content Security Policy and HTTP Public Key Pinning, I noticed that their use wasn't very widespread. Not only that but the reporting feature of these security policies was difficult to implement and get right. report-uri.io was built to make the violation reporting aspect easy and to draw attention to the ease of deploying these security policies with the hope of increasing their usage.
When a site deploys a Content Security Policy or HTTP Public Key Pinning, the browser will enforce the security policies declared by the site. This is great as it offers visitors more protection but the only problem is, the host doesn't know that there's a problem. The browser will block malicious content, such as an XSS attack, but the host wouldn't know anything about it and as such, can't resolve the problem. This is the problem that report-uri.io fixes. With your own unique reporting endpoint the browser can send a violation report to us and you can monitor exactly what is happening on your site. You can see what security policies are being triggered, where and why.
Yes, there are two ways you can do this. You can create an account for each site you would like to manage to have a unique reporting address for each one, but managing more than 1 could become tedious. To make things easier you can use the same reporting address across multiple sites. All reports will still be collected and stored in your account just the same and you can monitor everything from the dashboard for all of your sites!
Yes! I built this site to be of maximum use to anyone that wanted to implement CSP and HPKP violation reporting and the best way to make it as useful as possible was to make it free. With the commodotisation of cloud compute power, building a highly scalable and reliable web application has become fairly cheap!
The basic features of report-uri.io will always remain free. Those are the ability to create an account, get your own unique reporting endpoint to collect your reports and view basic information and statistics on the reports your site generates. Down the line I may introduce premium features depending on how the site grows or I may just add more features to the free tier. My goal will always be to keep the use of this site free or as cheap as possible.
Yes, you can! If would like your own dedicated instance of report-uri.io hosting then please get in touch with me.
The site is hosted between 2 cloud providers, DigitalOcean and Microsoft Azure.
DigitalOcean provide fast SSD based hosting from multiple locations around the world. Their virtual servers, called Droplets, are highly flexible and are what report-uri.io is built on. We use Ubuntu and NginX on our load balancer that then proxies requests to several application servers behind it also running Ubuntu, NginX and PHP.
Microsoft Azure offers many services and report-uri.io leverages the scale and performance of Table Storage, a NoSQL key-value store that allows for massive datasets. Without having to worry about sharding, storage capacity or throughput, report-uri.io can scale on demand to suit our needs.
The site is written in PHP and makes use of the incredibly lightweight CodeIgniter MVC framework.
Yes, we use a robust TLS configuration on our load balancers that provides a strong selection of cipher suites allowing for Perfect Forward Secrecy. Coupled with our use of HTTP Strict Transport Security and HTTP Public Key Pinning, we score an A+ rating on the Qualys SSL Test. Take a look here.
The PHPass password hashing framework provides all the security for storage of passwords on report-uri.io. Taking care of providing a strong salt and allowing us to flexibly control the iteration count required, passwords are safely stored in the database. At present we use 1,024 iterations of the bcrypt cryptographic hashing function.