hono icon indicating copy to clipboard operation
hono copied to clipboard
verified publisher icon honojs

feat(secure-headers): Add CSP report-to and report-uri directive support

Open cruzz77 opened this issue 1 month ago • 3 comments

Description

This PR adds support for CSP report-to and report-uri directives to the secure-headers middleware, addressing the feature request in #4527.

Implements the functionality accordingly.

Changes

  • Add reportTo and reportUri options to the CSP configuration
  • Serialize both directives into the final Content-Security-Policy header
  • Omit directives when undefined (backward compatible)
  • Follow existing secure-headers patterns and architecture
  • Include updated and accurate TypeScript definitions

Usage

app.get(
  '/',
  secureHeaders({
    contentSecurityPolicy: {
      reportUri: '/csp-report',
      reportTo: 'csp-endpoint',
      defaultSrc: ["'self'"],
      // ...other directives
    }
  })
)

Checklist

  • [x] Add tests
  • [x] Run tests
  • [x] bun run format:fix && bun run lint:fix to format the code
  • [x] Add TSDoc/JSDoc documentation

Testing

  • ✅ Added comprehensive tests for new reportTo and reportUri options
  • ✅ Verified all existing tests continue to pass
  • ✅ Tested edge cases and invalid inputs
  • ✅ Confirmed TypeScript type safety

cruzz77 avatar Nov 28 '25 12:11 cruzz77

Codecov Report

:white_check_mark: All modified and coverable lines are covered by tests. :white_check_mark: Project coverage is 91.49%. Comparing base (b06005a) to head (1e6c12c).

Additional details and impacted files 
@@           Coverage Diff           @@
##             next    #4555   +/-   ##
=======================================
  Coverage   91.49%   91.49%           
=======================================
  Files         172      172           
  Lines       11230    11230           
  Branches     3257     3259    +2     
=======================================
  Hits        10275    10275           
  Misses        954      954           
  Partials        1        1

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • :package: JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

codecov[bot] avatar Nov 30 '25 11:11 codecov[bot]

Hey @cruzz77 !

Looks good to me. I'll merge this later and include this change in the next minor release. Thank you for your contribution!

yusukebe avatar Dec 02 '25 07:12 yusukebe

Hey @cruzz77 !

Looks good to me. I'll merge this later and include this change in the next minor release. Thank you for your contribution!

Thank a lot! Had fun doing this!

cruzz77 avatar Dec 02 '25 08:12 cruzz77