Caspr (not under development)

If you are looking for a CSP reporting tool, please check out .



Caspr is a Content-Security-Policy report endpoint, aggregator, and analyzer.

It contains three parts:

What is Content-Security-Policy?


Either use Heroku, or to install manually, install NodeJS/npm/MongoDB(>2.6).

git clone
cd caspr
npm install
forever bin/www


$> node bin/www --help

Usage: node www [options]

   -p, --port               Port to run http caspr  [3000]
   --ssl                    Run ssl on port 443  [false]
   --sslKeyFile             SSL key file for ssl  [./bin/certs/key.pem]
   --sslCertFile            SSL certificate file for ssl  [./bin/certs/cert.pem]
   --cappedCollectionSize   Size of report collection in bytes  [0]


To use caspr with SSL, set sslKeyFIle and sslCertFile to the location of your cert and private key file on disk with --sslKeyFile and --sslCertFIle.

forever bin/www --ssl --sslKeyFile /var/certs/key.pem --sslCertFile /var/certs/cert.pem

Capped Collections

MongoDB supports capped collections, meaning you can specifiy a maximum size for the reports collection in your DB.

For my own deployments I usually set it around 1GB, but on Heroku the maximum size of the free version is .5GB.

To use capped collections, either set it manually or pass the size in bytes you'd like the reports collection to be.

forever bin/www --capped 500000000 // .5GB
use caspr
db.runCommand({convertToCapped: 'reports', size: 500000000 })

How do I dump all reports?

All reports are stored within MongoDB. So a script such as the following can be used to dump all reports into a json file


cursor = db.getSiblingDB('caspr').reports.find();
while ( cursor.hasNext() ) {
   printjson( );
mongo dump.js > dump.json



Content-Security-Policy report aggregator/analyzer

Caspr Info

⭐ Stars 53
🔗 Homepage
🔗 Source Code
🕒 Last Update 9 months ago
🕒 Created 8 years ago
🐞 Open Issues 8
➗ Star-Issue Ratio 7
😎 Author c0nrad