I was hoping to use my existing Caddy 2 server as a as a very simple self-hosted alternative to Report-URI. Granted not the entire application, Caddy’s role in this would simply be to log these reports as they came in. There are plenty of other tools out there for analyzing, reporting, displaying and visualizing these logs. Caddy’s job would just be to log the JSON it received any time it received a POST request at a particular endpoint and return a 204.
I started searching how to log request bodies with Caddy and came across this topic. Which was a bummer but the response absolutely makes sense, adding general support for logging request bodies is extremely complex and probably not a good idea.
But this particular use case is not the wild west. Violation reports are sent automatically by browsers when a violation is detected, are small, always JSON and follow a strict standard. So logging them wouldn’t require solving all the problems of logging request bodies, in fact ideally the endpoint would simply reject anything that didn’t look like a violation report (larger then expected, binary data, not JSON, etc.)
Would this be a possible candidate for a plugin? I’m still kind of new at Caddy so I’m not sure. It seemed like something people would find useful though? All of the recent security headers can do reporting now so it seems likely people will go looking for a self-hosted solution. I wouldn’t call this logging a solution per se but just having a log of the reports is probably enough for most personal deployments, especially since that log can be combined with other tooling pretty easily.