feat(secure-headers): Add CSP report-to and report-uri directive support

[cruzz77]

Description

This PR adds support for CSP report-to and report-uri directives to the secure-headers middleware, addressing the feature request in #4527.

Implements the functionality accordingly.

Changes

• Add reportTo and reportUri options to the CSP configuration
• Serialize both directives into the final Content-Security-Policy header
• Omit directives when undefined (backward compatible)
• Follow existing secure-headers patterns and architecture
• Include updated and accurate TypeScript definitions

Usage

app.get(
  '/',
  secureHeaders({
    contentSecurityPolicy: {
      reportUri: '/csp-report',
      reportTo: 'csp-endpoint',
      defaultSrc: ["'self'"],
      // ...other directives
    }
  })
)

Checklist

• Add tests
• Run tests
• bun run format:fix && bun run lint:fix to format the code
• Add TSDoc/JSDoc documentation

Testing

• ✅ Added comprehensive tests for new reportTo and reportUri options
• ✅ Verified all existing tests continue to pass
• ✅ Tested edge cases and invalid inputs
• ✅ Confirmed TypeScript type safety

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.49%. Comparing base (b06005a) to head (1e6c12c).
⚠️ Report is 7 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #4555   +/-   ##
=======================================
  Coverage   91.49%   91.49%           
=======================================
  Files         172      172           
  Lines       11230    11230           
  Branches     3257     3259    +2     
=======================================
  Hits        10275    10275           
  Misses        954      954           
  Partials        1        1           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[yusukebe]

I realized that this if (directive === 'reportUri') {} and if (contentSecurityPolicy.reportUri) {} is not necessary, right?

So I think that we can apply this patch:

diff --git a/src/middleware/secure-headers/secure-headers.ts b/src/middleware/secure-headers/secure-headers.ts
index 55afa21d..cb81a0fd 100644
--- a/src/middleware/secure-headers/secure-headers.ts
+++ b/src/middleware/secure-headers/secure-headers.ts
@@ -244,9 +244,6 @@ function getCSPDirectives(
   const resultValues: string[] = []

   for (const [directive, value] of Object.entries(contentSecurityPolicy)) {
-    if (directive === 'reportUri') {
-      continue
-    }
     const valueArray = Array.isArray(value) ? value : [value]

     valueArray.forEach((value, i) => {
@@ -266,12 +263,6 @@ function getCSPDirectives(
       '; '
     )
   }
-  if (contentSecurityPolicy.reportUri) {
-    const uris = Array.isArray(contentSecurityPolicy.reportUri)
-      ? contentSecurityPolicy.reportUri
-      : [contentSecurityPolicy.reportUri]
-    resultValues.push('report-uri', ' ', uris.join(' '), '; ')
-  }
   resultValues.pop()

   return callbacks.length === 0

[cruzz77]

Thank you for pointing that out! I removed those lines as suggested! If there's any more suggestions, I'll be happy to implement.

[yusukebe]

LGTM!

[yusukebe]

Hey @cruzz77 !

Looks good to me. I'll merge this later and include this change in the next minor release. Thank you for your contribution!

[cruzz77]

Hey @cruzz77 !

Looks good to me. I'll merge this later and include this change in the next minor release. Thank you for your contribution!

Thank a lot! Had fun doing this!