feat(secure-headers): Add CSP report-uri directive support

[cruzz77]

What is the feature you are proposing?

What is the feature you are proposing?

Add CSP report-uri directive support to secure-headers middleware for backwards compatibility with legacy systems.

Why is this feature needed?

The secure-headers middleware currently supports the modern report-to CSP directive but lacks support for the widely-used report-uri directive. This creates compatibility issues for:

• Legacy systems and older browsers that don't support Reporting API
• Applications migrating from other frameworks that use report-uri
• Enterprise environments with mixed browser support
• Systems where Reporting API isn't available or configured

Without report-uri support, developers cannot use the secure-headers middleware in environments that require legacy CSP violation reporting.

Proposed solution

Add reportUri option to the ContentSecurityPolicy configuration interface and update the CSP header generation logic:

// Type definition addition
interface ContentSecurityPolicyOptions {
  // ... existing directives
  reportUri?: string | string[]
}

// Usage example
secureHeaders({
  contentSecurityPolicy: {
    defaultSrc: ["'self'"],
    reportUri: '/csp-violation-endpoint'
    // or for multiple endpoints:
    reportUri: ['/endpoint1', '/endpoint2']
  }
})

[yusukebe]

@cruzz77 Thank you for the proposal.

Hey @watany-dev ! The author of the secure-headers. What do you think of this?

[cruzz77]

Hi @yusukebe , I appreciate you tagging @watany-dev for their input.

To make things easier, I just wanted to reiterate that I'm fully prepared to implement this feature and submit a PR. If the approach is agreed upon in principle, I can get started on the draft and we can refine it from there.

Looking forward to hearing your and @watany-dev's thoughts.