honojs
feat(secure-headers): Add CSP report-uri directive support
What is the feature you are proposing?
What is the feature you are proposing?
Add CSP report-uri directive support to secure-headers middleware for backwards compatibility with legacy systems.
Why is this feature needed?
The secure-headers middleware currently supports the modern report-to CSP directive but lacks support for the widely-used report-uri directive. This creates compatibility issues for:
- Legacy systems and older browsers that don't support Reporting API
- Applications migrating from other frameworks that use
report-uri - Enterprise environments with mixed browser support
- Systems where Reporting API isn't available or configured
Without report-uri support, developers cannot use the secure-headers middleware in environments that require legacy CSP violation reporting.
Proposed solution
Add reportUri option to the ContentSecurityPolicy configuration interface and update the CSP header generation logic:
// Type definition addition
interface ContentSecurityPolicyOptions {
// ... existing directives
reportUri?: string | string[]
}
// Usage example
secureHeaders({
contentSecurityPolicy: {
defaultSrc: ["'self'"],
reportUri: '/csp-violation-endpoint'
// or for multiple endpoints:
reportUri: ['/endpoint1', '/endpoint2']
}
})
@cruzz77 Thank you for the proposal.
Hey @watany-dev ! The author of the secure-headers. What do you think of this?
Hi @yusukebe , I appreciate you tagging @watany-dev for their input.
To make things easier, I just wanted to reiterate that I'm fully prepared to implement this feature and submit a PR. If the approach is agreed upon in principle, I can get started on the draft and we can refine it from there.
Looking forward to hearing your and @watany-dev's thoughts.