Table of Contents
- Introduction & Creating and Editing Service Profiles
- Domain Review
- Configuration and Editing
- Violation Detection and CSP Management
- Alerts
Introduction & Service Profiles
The Services & CSP Management Module gives users the ability to build, deploy and monitor a CSP on their site. Here domains can be inventoried, approved or rejected, domain whitelists can be created, CSPs can be created, and ultimately user sites can be monitored for domain whitelist and CSP violations. Let's dive in to how the CSP management system works and cover some important terminology.
Domain Review
Any service profile configured for the account and/or site will add to a review list of domains that must be approved or not approved prior to becoming available for use in CSP configuration.
Domains must be approved by both a Tag Governance Admin AND a Security Admin. Both of these are user roles that can be assigned to a Blue Triangle portal user with an access level of “Department Admin” or higher for the site that will contain that CSP configuration. Both of these roles can be fulfilled by one person.
Note that both the Security Admin and the Tag Management Admin must approve a domain. If neither has approved or rejected a domain yet, that domain will not be color-coded and will be considered “pending”. If only one approves, the domain will be considered still “pending” approval but will be color-coded yellow. If one approves and the other rejects a domain, the domain will be considered “rejected” and will become color-coded red in the domain review list. Only if both approve will the domain also be considered “approved,” color-coded green, and allowed for use in CSP configuration.
See below for an example of various combinations of approval and the impact on color-coding in the list.
While reviewing domains on a case-by-case basis is recommended, bulk review is possible. Both Security Admins and Tag Management Admins can click the box under the check-mark (approve) or the ex-mark (reject) in the domain review list. Doing so triggers the following message popups, which require additional input to bypass and save changes:
Need to export the Domain Review List?
The list of domains can be exported via TSV or CSV when opening the modal and selecting one of those options from the dropdown at the top right of the table. This may facilitate the initial review process when first approving and rejecting domains for use on a site’s CSP.
CSP Configuration and Editing
When naming the CSP please note that the CSP name affects only the way that it is recorded in Blue Triangle’s system for listing and editing in the “Configured Content Security Policies” section of the page prior. If the CSP manager of the site will ultimately be responsible for multiple environments and multiple versions of a CSP on a single site, following a naming convention that makes sense to differentiate those factors would be recommended.
Note that once a CSP has been created, its name can be changed in subsequent versions, which is useful if the naming convention changes between pre-production environments and production environments.
CSP Violation Detection and CSP Management
Once a CSP has been placed on a customer’s site in a non-blocking or a blocking mode, CSP violations (in the case of blocking) or Whitelist violations (in the case of non-blocking) will be recorded in the Domain Violation & Audit Log.
What to Do When a Domain in the Log Needs to be Used in the CSP:
If a domain in the Domain Violation & Audit Log needs to be used in a CSP, it must first be approved by the Tag Management Admin and Security Admin for use in the CSP. After it’s approved for use, it will still be detected and logged when it appears on the site until it is added into the active CSP on the page or pages where the violation was detected.
To add a newly approved domain to a CSP, navigate to the CSP Manager page, look for the CSP to be edited under the “Currently Configured CSPs” section, and click the pencil icon to the left of the row.
CSP Alerts
Comments
0 comments
Please sign in to leave a comment.