nuxt-security icon indicating copy to clipboard operation
nuxt-security copied to clipboard
verified publisher icon Baroshem

Add support for Content-Security-Policy-Report-Only mode

Open jleroy-gm opened this issue 10 months ago • 3 comments

Is your feature request related to a problem? Please describe.

I'm using this library to manage CSP headers, and I need to enable report-only mode. However, the library does not seem to support replacing the Content-Security-Policy header with Content-Security-Policy-Report-Only. This makes it difficult to test policies without enforcing them.

Describe the solution you'd like

It would be great if the library provided an option to switch to report-only mode, automatically replacing Content-Security-Policy with Content-Security-Policy-Report-Only when enabled.

Describe alternatives you've considered

Manually modifying the response headers after they are set by the library, but this is not ideal. Using a different middleware for CSP management, but I prefer to keep using this library.

Additional context

This feature would be useful for safely testing CSP rules before enforcing them in production. Let me know if I can provide more details!

jleroy-gm avatar Feb 27 '25 10:02 jleroy-gm

Hey Buddy,

Thanks for reporting this issue! We have tackled this case before here https://github.com/Baroshem/security/issues/193

It was long time ago and since then there wasnt actually that much traffic for this particular topic but looking at your case I think it would be beneficial to have it.

Would you be interested in contributing? I can provide all the help needed :)

Baroshem avatar Feb 27 '25 14:02 Baroshem

Yeah, the report-only mode is really great for displaying and collecting all CSP-related errors without breaking anything. It's also useful for gathering CSP errors in a production environment before enforcing the policy.

As for contributing, honestly, I'm not confident enough to submit a PR directly. I'd be too afraid of breaking something in your codebase that I'm not familiar with. However, I can at least describe what I envisioned for this new feature:

  • Add an option "contentSecurityPolicyReportOnly: true|false" to the main NuxtSecurity configuration (at the same level as the "nonce: true|false" option).
  • If "contentSecurityPolicyReportOnly" is set to true, then the "Content-Security-Policy" header is replaced with "Content-Security-Policy-Report-Only".

jleroy-gm avatar Feb 27 '25 16:02 jleroy-gm

Any update on this? It would be great feature.

BrutCZE avatar Apr 30 '25 13:04 BrutCZE