nuxt-csp-report 1.0.0-alpha.1

package/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2025-present - Gonzo17
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,176 @@
+# Nuxt CSP Report
+
+[![npm version][npm-version-src]][npm-version-href]
+[![npm downloads][npm-downloads-src]][npm-downloads-href]
+[![License][license-src]][license-href]
+[![Nuxt][nuxt-src]][nuxt-href]
+
+A Nuxt module for collecting, normalizing, and persisting Content Security Policy (CSP) reports.
+
+[✨ Release Notes](/CHANGELOG.md)
+
+## What is CSP and CSP reports?
+
+The CSP is a HTTP response header that allows you to control which resources a document is allowed to load. For example setting `Content-Security-Policy: script-src example.com;` will prevent any script tag from loading a source that is not from `example.com`. Any violation will be logged in the console of the browser. Additionally, a reporting endpoint can be set in the CSP header where the browser will send the CSP report to.
+
+Once you decide to secure your website with CSP, you most likely want to analyze on production if your CSP headers are configured properly. That can be tricky the more external resources are loaded. Especially dynamically loaded scripts, e.g. depending on your country or your consent, are not always the same for every user. That's where the CSP reports are helpful, because they show the real CSP violations that users experience in their browsers.
+
+## Features
+
+- 📋 Registers a POST endpoint for CSP reports
+- 📡 Adds the `Reporting-Endpoints` header to your responses for `report-to` support
+- 🔄 Supports both legacy `report-uri` and `report-to` format reports
+- ✅ Validates and normalizes reports with Zod
+- 💾 Persists reports via unstorage
+- 📝 Full TypeScript support with proper type exports
+
+## Quick Setup
+
+Install the module to your Nuxt application:
+
+```bash
+npm install nuxt-csp-report
+```
+
+Add it to your `nuxt.config.ts`:
+
+```typescript
+export default defineNuxtConfig({
+  modules: ['nuxt-csp-report'],
+  cspReport: {
+    //  Module options
+  },
+})
+```
+
+## Usage
+
+The module is ready to go with the defaults.
+In most use cases simple logs are sufficient. If you want to analyze CSP reports, you can use the `storage` option to persist the reports in a KV store. 
+
+### nuxt-security
+
+The Content Security Policy is set through specific headers. You can handle that yourself with Nuxt/Nitro, but I highly recommend using [nuxt-security](https://github.com/Baroshem/nuxt-security). 
+Here is a minimal example of how to use the two moduls in combination:
+
+```typescript
+export default defineNuxtConfig({
+  modules: ['nuxt-security', 'nuxt-csp-report'],
+  security: {
+    headers: {
+      contentSecurityPolicy: {
+        'report-uri': '/api/csp-report',
+        // your CSP headers
+      },
+    },
+  },
+})
+```
+
+### Advanced: Access reports
+
+Depending on your use case you might want to access the CSP reports. You can do that with `useStorage`:
+
+```typescript
+export default defineNuxtConfig({
+  modules: ['nuxt-csp-report'],
+  cspReport: {
+    storage: {
+      driver: {
+        name: 'redis',
+        options: {
+          // Your redis configuration
+        } 
+      }
+    },
+  },
+})
+```
+
+```typescript
+import  { type NormalizedCspReport } from 'nuxt-csp-report'
+
+const storage = useStorage<NormalizedCspReport>('csp-report-storage')
+```
+
+## Options
+
+### endpoint
+* Type: `string`
+* Default: `/api/csp-report`
+* Description: Optional. Path for the CSP report endpoint.
+
+### reportingEndpointsHeader 
+* Type: `boolean`
+* Default: `false`
+* Description: Optional. Adds the `Reporting-Endpoints` header to your HTML responses, using `'csp-endpoint'` as the key and `endpoint` from the configuration as the value. This header is needed if you want to use `report-to csp-endpoint` in your CSP configuration.
+
+### console 
+* Type: `'summary' | 'full' | false`
+* Default: `'summary'`
+* Description: Optional. Log reports to console on server. `'full'` will print the `NormalizedCspReport` object.
+
+### storage
+* Type: See fields below.
+* Description: Optional. Sets up a storage using `unstorage`, which is part of Nitro and Nuxt.
+
+### storage.driver
+* Type: `BuiltinDriverOptions`
+* Description: Defines the driver from `unstorage`. You can use the same notation and drivers as in Nuxt:
+  * https://nuxt.com/docs/4.x/directory-structure/server#server-storage
+  * https://nitro.build/guide/storage
+  * https://unstorage.unjs.io/drivers
+
+### storage.keyPrefix 
+* Type: `string`
+* Default: `csp-report`
+* Description: Optional. Key prefix for the stored reports.
+
+
+## Contribution
+
+<details>
+  <summary>Local development</summary>
+  
+  ```bash
+  # Install dependencies
+  pnpm install
+  
+  # Generate type stubs
+  pnpm run dev:prepare
+  
+  # Develop with the playground
+  pnpm run dev
+  
+  # Build the playground
+  pnpm run dev:build
+  
+  # Run ESLint
+  pnpm run lint
+  
+  # Run Vitest
+  pnpm run test
+  pnpm run test:watch
+  
+  # Build the module
+  pnpm run prepack
+  
+  # Release new version
+  pnpm run release
+  ```
+
+</details>
+
+
+<!-- Badges -->
+[npm-version-src]: https://img.shields.io/npm/v/nuxt-csp-report/latest.svg?style=flat&colorA=020420&colorB=00DC82
+[npm-version-href]: https://npmjs.com/package/nuxt-csp-report
+
+[npm-downloads-src]: https://img.shields.io/npm/dm/nuxt-csp-report.svg?style=flat&colorA=020420&colorB=00DC82
+[npm-downloads-href]: https://npm.chart.dev/nuxt-csp-report
+
+[license-src]: https://img.shields.io/npm/l/nuxt-csp-report.svg?style=flat&colorA=020420&colorB=00DC82
+[license-href]: https://npmjs.com/package/nuxt-csp-report
+
+[nuxt-src]: https://img.shields.io/badge/Nuxt-020420?logo=nuxt.js
+[nuxt-href]: https://nuxt.com

package/dist/module.d.mts

@@ -0,0 +1,41 @@
+import * as _nuxt_schema from '@nuxt/schema';
+import { BuiltinDriverOptions } from 'unstorage';
+import { ReportToEntryFormat, ReportUriFormat } from '../dist/runtime/server/utils/normalizeCspReport.js';
+export { ReportToEntryFormat, ReportToFormat, ReportUriFormat } from '../dist/runtime/server/utils/normalizeCspReport.js';
+
+interface NuxtCspReportModuleOptions {
+    endpoint: string;
+    reportingEndpointsHeader?: boolean;
+    console: 'summary' | 'full' | false;
+    storage?: {
+        keyPrefix?: string;
+        driver: {
+            [driverName in keyof BuiltinDriverOptions]: {
+                name: driverName;
+                options?: BuiltinDriverOptions[driverName];
+            };
+        }[keyof BuiltinDriverOptions];
+    };
+}
+declare module 'nuxt/schema' {
+    interface RuntimeConfig {
+        cspReport?: NuxtCspReportModuleOptions;
+    }
+}
+
+interface NormalizedCspReport {
+    timestamp: number;
+    documentURL: string;
+    blockedURL: string;
+    directive: string;
+    sourceFile?: string;
+    line?: number;
+    column?: number;
+    disposition: 'enforce' | 'report';
+    raw: ReportToEntryFormat | ReportUriFormat;
+}
+
+declare const _default: _nuxt_schema.NuxtModule<NuxtCspReportModuleOptions, NuxtCspReportModuleOptions, false>;
+
+export { _default as default };
+export type { NormalizedCspReport, NuxtCspReportModuleOptions };

package/dist/module.json

@@ -0,0 +1,9 @@
+{
+  "name": "nuxt-csp-report",
+  "configKey": "cspReport",
+  "version": "1.0.0-alpha.1",
+  "builder": {
+    "@nuxt/module-builder": "1.0.2",
+    "unbuild": "3.6.1"
+  }
+}

package/dist/module.mjs

@@ -0,0 +1,53 @@
+import { defineNuxtModule, createResolver, addServerHandler } from '@nuxt/kit';
+import { defu } from 'defu';
+
+const module$1 = defineNuxtModule({
+  meta: {
+    name: "nuxt-csp-report",
+    configKey: "cspReport"
+  },
+  defaults: {
+    endpoint: "/api/csp-report",
+    console: "summary",
+    reportingEndpointsHeader: false
+  },
+  setup(moduleOptions, nuxt) {
+    const resolver = createResolver(import.meta.url);
+    nuxt.options.runtimeConfig.cspReport = {
+      endpoint: moduleOptions.endpoint,
+      reportingEndpointsHeader: moduleOptions.reportingEndpointsHeader,
+      console: moduleOptions.console,
+      storage: moduleOptions.storage ? {
+        keyPrefix: moduleOptions.storage.keyPrefix || "csp-report",
+        driver: moduleOptions.storage.driver
+      } : void 0
+    };
+    addServerHandler({
+      route: moduleOptions.endpoint,
+      method: "post",
+      handler: resolver.resolve("./runtime/server/api/csp-report.post")
+    });
+    nuxt.hook("nitro:config", (config) => {
+      const cspReportConfig = nuxt.options.runtimeConfig.cspReport;
+      if (!cspReportConfig) return;
+      if (cspReportConfig.reportingEndpointsHeader) {
+        config.plugins = config.plugins || [];
+        config.plugins.push(resolver.resolve("./runtime/nitro/plugin/reporting-endpoints-header"));
+      }
+      const storageDriver = cspReportConfig.storage?.driver;
+      if (!storageDriver) return;
+      const { name, options = {} } = storageDriver;
+      config.storage = defu(
+        {
+          "csp-report-storage": {
+            driver: name,
+            ...options
+          }
+        },
+        config.storage
+      );
+    });
+  }
+});
+
+export { module$1 as default };

package/dist/runtime/nitro/plugin/reporting-endpoints-header.d.ts

@@ -0,0 +1,2 @@
+declare const _default: import("nitropack/types").NitroAppPlugin;
+export default _default;

package/dist/runtime/nitro/plugin/reporting-endpoints-header.js

@@ -0,0 +1,15 @@
+import { defineNitroPlugin } from "nitropack/runtime";
+import { useRuntimeConfig } from "#imports";
+import { setResponseHeader, getRequestHost, getRequestProtocol } from "h3";
+export default defineNitroPlugin((nitroApp) => {
+  const cspReportConfig = useRuntimeConfig().cspReport;
+  if (!cspReportConfig?.reportingEndpointsHeader) {
+    return;
+  }
+  nitroApp.hooks.hook("render:response", (response, { event }) => {
+    const protocol = getRequestProtocol(event, { xForwardedProto: true });
+    const host = getRequestHost(event, { xForwardedHost: true });
+    const endpoint = `${protocol}://${host}${cspReportConfig.endpoint}`;
+    setResponseHeader(event, "Reporting-Endpoints", `csp-endpoint="${endpoint}"`);
+  });
+});

package/dist/runtime/server/api/csp-report.post.d.ts

@@ -0,0 +1,2 @@
+declare const _default: any;
+export default _default;

package/dist/runtime/server/api/csp-report.post.js

@@ -0,0 +1,32 @@
+import { useRuntimeConfig, useStorage, readBody, defineEventHandler } from "#imports";
+import { normalizeCspReport } from "../utils/normalizeCspReport.js";
+import { formatCspLog } from "../utils/formatCspLog.js";
+const runtimeConfig = useRuntimeConfig();
+const storage = runtimeConfig.cspReport?.storage ? useStorage("csp-report-storage") : null;
+export default defineEventHandler(async (event) => {
+  try {
+    const config = runtimeConfig.cspReport;
+    const body = await readBody(event).catch(() => null);
+    const reports = normalizeCspReport(body);
+    for (const report of reports) {
+      switch (config?.console) {
+        case "summary":
+          console.info("[nuxt-csp-report]", formatCspLog(report));
+          break;
+        case "full":
+          console.info("[nuxt-csp-report]", report);
+          break;
+      }
+      if (storage) {
+        const suffix = Math.random().toString(36).slice(2, 8);
+        const timestamp = Date.now();
+        const key = `${config.storage.keyPrefix}:${timestamp}:${suffix}`;
+        await storage.setItem(key, report);
+      }
+    }
+    return { ok: true };
+  } catch (err) {
+    console.error("[nuxt-csp-report]", err);
+    return { ok: true };
+  }
+});

package/dist/runtime/server/tsconfig.json

@@ -0,0 +1,3 @@
+{
+  "extends": "../../../.nuxt/tsconfig.server.json",
+}

package/dist/runtime/server/utils/formatCspLog.d.ts

@@ -0,0 +1,2 @@
+import type { NormalizedCspReport } from '../../../types/report.js';
+export declare function formatCspLog(report: NormalizedCspReport): string;

package/dist/runtime/server/utils/formatCspLog.js

@@ -0,0 +1,12 @@
+export function formatCspLog(report) {
+  const parts = [];
+  if (report.directive) parts.push(`directive=${report.directive}`);
+  if (report.documentURL) parts.push(`document=${report.documentURL}`);
+  if (report.blockedURL) parts.push(`blocked=${report.blockedURL}`);
+  if (report.sourceFile) {
+    const loc = [report.sourceFile, report.line, report.column].filter((v) => v != null).join(":");
+    parts.push(`source=${loc}`);
+  }
+  if (report.disposition) parts.push(`mode=${report.disposition}`);
+  return parts.join(" | ");
+}

package/dist/runtime/server/utils/normalizeCspReport.d.ts

@@ -0,0 +1,376 @@
+import { z } from 'zod';
+import type { NormalizedCspReport } from '../../../types/report.js';
+declare const reportUriSchema: z.ZodObject<{
+    'csp-report': z.ZodObject<{
+        'blocked-uri': z.ZodString;
+        disposition: z.ZodEnum<["enforce", "report"]>;
+        'document-uri': z.ZodString;
+        'effective-directive': z.ZodString;
+        'line-number': z.ZodOptional<z.ZodNumber>;
+        'original-policy': z.ZodOptional<z.ZodString>;
+        referrer: z.ZodOptional<z.ZodString>;
+        'script-sample': z.ZodOptional<z.ZodString>;
+        'source-file': z.ZodOptional<z.ZodString>;
+        'status-code': z.ZodOptional<z.ZodNumber>;
+        'violated-directive': z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        disposition: "report" | "enforce";
+        'blocked-uri': string;
+        'document-uri': string;
+        'effective-directive': string;
+        'violated-directive': string;
+        referrer?: string | undefined;
+        'line-number'?: number | undefined;
+        'original-policy'?: string | undefined;
+        'script-sample'?: string | undefined;
+        'source-file'?: string | undefined;
+        'status-code'?: number | undefined;
+    }, {
+        disposition: "report" | "enforce";
+        'blocked-uri': string;
+        'document-uri': string;
+        'effective-directive': string;
+        'violated-directive': string;
+        referrer?: string | undefined;
+        'line-number'?: number | undefined;
+        'original-policy'?: string | undefined;
+        'script-sample'?: string | undefined;
+        'source-file'?: string | undefined;
+        'status-code'?: number | undefined;
+    }>;
+}, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+    'csp-report': z.ZodObject<{
+        'blocked-uri': z.ZodString;
+        disposition: z.ZodEnum<["enforce", "report"]>;
+        'document-uri': z.ZodString;
+        'effective-directive': z.ZodString;
+        'line-number': z.ZodOptional<z.ZodNumber>;
+        'original-policy': z.ZodOptional<z.ZodString>;
+        referrer: z.ZodOptional<z.ZodString>;
+        'script-sample': z.ZodOptional<z.ZodString>;
+        'source-file': z.ZodOptional<z.ZodString>;
+        'status-code': z.ZodOptional<z.ZodNumber>;
+        'violated-directive': z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        disposition: "report" | "enforce";
+        'blocked-uri': string;
+        'document-uri': string;
+        'effective-directive': string;
+        'violated-directive': string;
+        referrer?: string | undefined;
+        'line-number'?: number | undefined;
+        'original-policy'?: string | undefined;
+        'script-sample'?: string | undefined;
+        'source-file'?: string | undefined;
+        'status-code'?: number | undefined;
+    }, {
+        disposition: "report" | "enforce";
+        'blocked-uri': string;
+        'document-uri': string;
+        'effective-directive': string;
+        'violated-directive': string;
+        referrer?: string | undefined;
+        'line-number'?: number | undefined;
+        'original-policy'?: string | undefined;
+        'script-sample'?: string | undefined;
+        'source-file'?: string | undefined;
+        'status-code'?: number | undefined;
+    }>;
+}, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+    'csp-report': z.ZodObject<{
+        'blocked-uri': z.ZodString;
+        disposition: z.ZodEnum<["enforce", "report"]>;
+        'document-uri': z.ZodString;
+        'effective-directive': z.ZodString;
+        'line-number': z.ZodOptional<z.ZodNumber>;
+        'original-policy': z.ZodOptional<z.ZodString>;
+        referrer: z.ZodOptional<z.ZodString>;
+        'script-sample': z.ZodOptional<z.ZodString>;
+        'source-file': z.ZodOptional<z.ZodString>;
+        'status-code': z.ZodOptional<z.ZodNumber>;
+        'violated-directive': z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        disposition: "report" | "enforce";
+        'blocked-uri': string;
+        'document-uri': string;
+        'effective-directive': string;
+        'violated-directive': string;
+        referrer?: string | undefined;
+        'line-number'?: number | undefined;
+        'original-policy'?: string | undefined;
+        'script-sample'?: string | undefined;
+        'source-file'?: string | undefined;
+        'status-code'?: number | undefined;
+    }, {
+        disposition: "report" | "enforce";
+        'blocked-uri': string;
+        'document-uri': string;
+        'effective-directive': string;
+        'violated-directive': string;
+        referrer?: string | undefined;
+        'line-number'?: number | undefined;
+        'original-policy'?: string | undefined;
+        'script-sample'?: string | undefined;
+        'source-file'?: string | undefined;
+        'status-code'?: number | undefined;
+    }>;
+}, z.ZodTypeAny, "passthrough">>;
+export type ReportUriFormat = z.infer<typeof reportUriSchema>;
+declare const reportToEntrySchema: z.ZodObject<{
+    age: z.ZodNumber;
+    body: z.ZodObject<{
+        blockedURL: z.ZodString;
+        columnNumber: z.ZodOptional<z.ZodNumber>;
+        disposition: z.ZodEnum<["enforce", "report"]>;
+        documentURL: z.ZodString;
+        effectiveDirective: z.ZodString;
+        lineNumber: z.ZodOptional<z.ZodNumber>;
+        originalPolicy: z.ZodString;
+        referrer: z.ZodOptional<z.ZodString>;
+        sample: z.ZodOptional<z.ZodString>;
+        sourceFile: z.ZodOptional<z.ZodString>;
+        statusCode: z.ZodNumber;
+    }, "strip", z.ZodTypeAny, {
+        statusCode: number;
+        blockedURL: string;
+        disposition: "report" | "enforce";
+        documentURL: string;
+        effectiveDirective: string;
+        originalPolicy: string;
+        referrer?: string | undefined;
+        columnNumber?: number | undefined;
+        lineNumber?: number | undefined;
+        sample?: string | undefined;
+        sourceFile?: string | undefined;
+    }, {
+        statusCode: number;
+        blockedURL: string;
+        disposition: "report" | "enforce";
+        documentURL: string;
+        effectiveDirective: string;
+        originalPolicy: string;
+        referrer?: string | undefined;
+        columnNumber?: number | undefined;
+        lineNumber?: number | undefined;
+        sample?: string | undefined;
+        sourceFile?: string | undefined;
+    }>;
+    type: z.ZodString;
+    url: z.ZodString;
+    user_agent: z.ZodString;
+}, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+    age: z.ZodNumber;
+    body: z.ZodObject<{
+        blockedURL: z.ZodString;
+        columnNumber: z.ZodOptional<z.ZodNumber>;
+        disposition: z.ZodEnum<["enforce", "report"]>;
+        documentURL: z.ZodString;
+        effectiveDirective: z.ZodString;
+        lineNumber: z.ZodOptional<z.ZodNumber>;
+        originalPolicy: z.ZodString;
+        referrer: z.ZodOptional<z.ZodString>;
+        sample: z.ZodOptional<z.ZodString>;
+        sourceFile: z.ZodOptional<z.ZodString>;
+        statusCode: z.ZodNumber;
+    }, "strip", z.ZodTypeAny, {
+        statusCode: number;
+        blockedURL: string;
+        disposition: "report" | "enforce";
+        documentURL: string;
+        effectiveDirective: string;
+        originalPolicy: string;
+        referrer?: string | undefined;
+        columnNumber?: number | undefined;
+        lineNumber?: number | undefined;
+        sample?: string | undefined;
+        sourceFile?: string | undefined;
+    }, {
+        statusCode: number;
+        blockedURL: string;
+        disposition: "report" | "enforce";
+        documentURL: string;
+        effectiveDirective: string;
+        originalPolicy: string;
+        referrer?: string | undefined;
+        columnNumber?: number | undefined;
+        lineNumber?: number | undefined;
+        sample?: string | undefined;
+        sourceFile?: string | undefined;
+    }>;
+    type: z.ZodString;
+    url: z.ZodString;
+    user_agent: z.ZodString;
+}, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+    age: z.ZodNumber;
+    body: z.ZodObject<{
+        blockedURL: z.ZodString;
+        columnNumber: z.ZodOptional<z.ZodNumber>;
+        disposition: z.ZodEnum<["enforce", "report"]>;
+        documentURL: z.ZodString;
+        effectiveDirective: z.ZodString;
+        lineNumber: z.ZodOptional<z.ZodNumber>;
+        originalPolicy: z.ZodString;
+        referrer: z.ZodOptional<z.ZodString>;
+        sample: z.ZodOptional<z.ZodString>;
+        sourceFile: z.ZodOptional<z.ZodString>;
+        statusCode: z.ZodNumber;
+    }, "strip", z.ZodTypeAny, {
+        statusCode: number;
+        blockedURL: string;
+        disposition: "report" | "enforce";
+        documentURL: string;
+        effectiveDirective: string;
+        originalPolicy: string;
+        referrer?: string | undefined;
+        columnNumber?: number | undefined;
+        lineNumber?: number | undefined;
+        sample?: string | undefined;
+        sourceFile?: string | undefined;
+    }, {
+        statusCode: number;
+        blockedURL: string;
+        disposition: "report" | "enforce";
+        documentURL: string;
+        effectiveDirective: string;
+        originalPolicy: string;
+        referrer?: string | undefined;
+        columnNumber?: number | undefined;
+        lineNumber?: number | undefined;
+        sample?: string | undefined;
+        sourceFile?: string | undefined;
+    }>;
+    type: z.ZodString;
+    url: z.ZodString;
+    user_agent: z.ZodString;
+}, z.ZodTypeAny, "passthrough">>;
+declare const reportToSchema: z.ZodArray<z.ZodObject<{
+    age: z.ZodNumber;
+    body: z.ZodObject<{
+        blockedURL: z.ZodString;
+        columnNumber: z.ZodOptional<z.ZodNumber>;
+        disposition: z.ZodEnum<["enforce", "report"]>;
+        documentURL: z.ZodString;
+        effectiveDirective: z.ZodString;
+        lineNumber: z.ZodOptional<z.ZodNumber>;
+        originalPolicy: z.ZodString;
+        referrer: z.ZodOptional<z.ZodString>;
+        sample: z.ZodOptional<z.ZodString>;
+        sourceFile: z.ZodOptional<z.ZodString>;
+        statusCode: z.ZodNumber;
+    }, "strip", z.ZodTypeAny, {
+        statusCode: number;
+        blockedURL: string;
+        disposition: "report" | "enforce";
+        documentURL: string;
+        effectiveDirective: string;
+        originalPolicy: string;
+        referrer?: string | undefined;
+        columnNumber?: number | undefined;
+        lineNumber?: number | undefined;
+        sample?: string | undefined;
+        sourceFile?: string | undefined;
+    }, {
+        statusCode: number;
+        blockedURL: string;
+        disposition: "report" | "enforce";
+        documentURL: string;
+        effectiveDirective: string;
+        originalPolicy: string;
+        referrer?: string | undefined;
+        columnNumber?: number | undefined;
+        lineNumber?: number | undefined;
+        sample?: string | undefined;
+        sourceFile?: string | undefined;
+    }>;
+    type: z.ZodString;
+    url: z.ZodString;
+    user_agent: z.ZodString;
+}, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+    age: z.ZodNumber;
+    body: z.ZodObject<{
+        blockedURL: z.ZodString;
+        columnNumber: z.ZodOptional<z.ZodNumber>;
+        disposition: z.ZodEnum<["enforce", "report"]>;
+        documentURL: z.ZodString;
+        effectiveDirective: z.ZodString;
+        lineNumber: z.ZodOptional<z.ZodNumber>;
+        originalPolicy: z.ZodString;
+        referrer: z.ZodOptional<z.ZodString>;
+        sample: z.ZodOptional<z.ZodString>;
+        sourceFile: z.ZodOptional<z.ZodString>;
+        statusCode: z.ZodNumber;
+    }, "strip", z.ZodTypeAny, {
+        statusCode: number;
+        blockedURL: string;
+        disposition: "report" | "enforce";
+        documentURL: string;
+        effectiveDirective: string;
+        originalPolicy: string;
+        referrer?: string | undefined;
+        columnNumber?: number | undefined;
+        lineNumber?: number | undefined;
+        sample?: string | undefined;
+        sourceFile?: string | undefined;
+    }, {
+        statusCode: number;
+        blockedURL: string;
+        disposition: "report" | "enforce";
+        documentURL: string;
+        effectiveDirective: string;
+        originalPolicy: string;
+        referrer?: string | undefined;
+        columnNumber?: number | undefined;
+        lineNumber?: number | undefined;
+        sample?: string | undefined;
+        sourceFile?: string | undefined;
+    }>;
+    type: z.ZodString;
+    url: z.ZodString;
+    user_agent: z.ZodString;
+}, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+    age: z.ZodNumber;
+    body: z.ZodObject<{
+        blockedURL: z.ZodString;
+        columnNumber: z.ZodOptional<z.ZodNumber>;
+        disposition: z.ZodEnum<["enforce", "report"]>;
+        documentURL: z.ZodString;
+        effectiveDirective: z.ZodString;
+        lineNumber: z.ZodOptional<z.ZodNumber>;
+        originalPolicy: z.ZodString;
+        referrer: z.ZodOptional<z.ZodString>;
+        sample: z.ZodOptional<z.ZodString>;
+        sourceFile: z.ZodOptional<z.ZodString>;
+        statusCode: z.ZodNumber;
+    }, "strip", z.ZodTypeAny, {
+        statusCode: number;
+        blockedURL: string;
+        disposition: "report" | "enforce";
+        documentURL: string;
+        effectiveDirective: string;
+        originalPolicy: string;
+        referrer?: string | undefined;
+        columnNumber?: number | undefined;
+        lineNumber?: number | undefined;
+        sample?: string | undefined;
+        sourceFile?: string | undefined;
+    }, {
+        statusCode: number;
+        blockedURL: string;
+        disposition: "report" | "enforce";
+        documentURL: string;
+        effectiveDirective: string;
+        originalPolicy: string;
+        referrer?: string | undefined;
+        columnNumber?: number | undefined;
+        lineNumber?: number | undefined;
+        sample?: string | undefined;
+        sourceFile?: string | undefined;
+    }>;
+    type: z.ZodString;
+    url: z.ZodString;
+    user_agent: z.ZodString;
+}, z.ZodTypeAny, "passthrough">>, "many">;
+export type ReportToEntryFormat = z.infer<typeof reportToEntrySchema>;
+export type ReportToFormat = z.infer<typeof reportToSchema>;
+export declare function normalizeCspReport(input: unknown): NormalizedCspReport[];
+export {};

package/dist/runtime/server/utils/normalizeCspReport.js

@@ -0,0 +1,73 @@
+import { z } from "zod";
+const reportUriSchema = z.object({
+  "csp-report": z.object({
+    "blocked-uri": z.string(),
+    "disposition": z.enum(["enforce", "report"]),
+    "document-uri": z.string(),
+    "effective-directive": z.string(),
+    "line-number": z.number().optional(),
+    "original-policy": z.string().optional(),
+    "referrer": z.string().optional(),
+    "script-sample": z.string().optional(),
+    "source-file": z.string().optional(),
+    "status-code": z.number().optional(),
+    "violated-directive": z.string()
+  })
+}).passthrough();
+const reportToEntrySchema = z.object({
+  age: z.number(),
+  body: z.object({
+    blockedURL: z.string(),
+    columnNumber: z.number().optional(),
+    disposition: z.enum(["enforce", "report"]),
+    documentURL: z.string(),
+    effectiveDirective: z.string(),
+    lineNumber: z.number().optional(),
+    originalPolicy: z.string(),
+    referrer: z.string().optional(),
+    sample: z.string().optional(),
+    sourceFile: z.string().optional(),
+    statusCode: z.number()
+  }),
+  type: z.string(),
+  url: z.string(),
+  user_agent: z.string()
+}).passthrough();
+const reportToSchema = reportToEntrySchema.array();
+export function normalizeCspReport(input) {
+  if (!input) {
+    return [];
+  }
+  try {
+    if (typeof input === "object" && "csp-report" in input) {
+      const parsed = reportUriSchema.parse(input);
+      return [{
+        raw: parsed,
+        timestamp: Date.now(),
+        documentURL: parsed["csp-report"]["document-uri"],
+        blockedURL: parsed["csp-report"]["blocked-uri"],
+        directive: parsed["csp-report"]["violated-directive"],
+        sourceFile: parsed["csp-report"]["source-file"],
+        line: parsed["csp-report"]["line-number"],
+        disposition: parsed["csp-report"]["disposition"]
+      }];
+    }
+    if (Array.isArray(input)) {
+      const parsed = reportToSchema.parse(input);
+      return parsed.map((item) => {
+        return {
+          raw: item,
+          timestamp: Date.now(),
+          documentURL: item.body.documentURL,
+          blockedURL: item.body.blockedURL,
+          directive: item.body.effectiveDirective,
+          sourceFile: item.body.sourceFile,
+          line: item.body.lineNumber,
+          disposition: item.body.disposition
+        };
+      });
+    }
+  } catch {
+  }
+  return [];
+}

package/dist/types.d.mts

@@ -0,0 +1,11 @@
+import type { NuxtModule } from '@nuxt/schema'
+
+import type { default as Module } from './module.mjs'
+
+export type ModuleOptions = typeof Module extends NuxtModule<infer O> ? Partial<O> : Record<string, any>
+
+export { type ReportToEntryFormat, type ReportToFormat, type ReportUriFormat } from '../dist/runtime/server/utils/normalizeCspReport.js'
+
+export { default } from './module.mjs'
+
+export { type NormalizedCspReport, type NuxtCspReportModuleOptions } from './module.mjs'

package/package.json

@@ -0,0 +1,70 @@
+{
+  "name": "nuxt-csp-report",
+  "version": "1.0.0-alpha.1",
+  "description": "A Nuxt module for collecting, normalizing, and persisting Content Security Policy reports",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/Gonzo17/nuxt-csp-report.git"
+  },
+  "homepage": "https://github.com/Gonzo17/nuxt-csp-report",
+  "license": "MIT",
+  "keywords": [
+    "nuxt",
+    "security",
+    "csp",
+    "content-security-policy",
+    "content-security-policy-report",
+    "report-to",
+    "report-uri"
+  ],
+  "type": "module",
+  "exports": {
+    ".": {
+      "types": "./dist/types.d.mts",
+      "import": "./dist/module.mjs"
+    }
+  },
+  "main": "./dist/module.mjs",
+  "typesVersions": {
+    "*": {
+      ".": [
+        "./dist/types.d.mts"
+      ]
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "prepack": "nuxt-module-build build",
+    "dev": "npm run dev:prepare && nuxi dev playground",
+    "dev:build": "nuxi build playground",
+    "dev:prepare": "nuxt-module-build build --stub && nuxt-module-build prepare && nuxi prepare playground",
+    "release": "npm run lint && npm run test && npm run prepack && changelogen --release --prerelease alpha && npm publish --tag alpha && git push --follow-tags",
+    "lint": "eslint .",
+    "test": "vitest run",
+    "test:watch": "vitest watch",
+    "test:types": "vue-tsc --noEmit && cd playground && vue-tsc --noEmit"
+  },
+  "dependencies": {
+    "@nuxt/kit": "^4.2.1",
+    "defu": "^6.1.4",
+    "unstorage": "^1.17.3",
+    "zod": "^3.22.4"
+  },
+  "devDependencies": {
+    "@nuxt/devtools": "^3.1.0",
+    "@nuxt/eslint-config": "^1.10.0",
+    "@nuxt/module-builder": "^1.0.2",
+    "@nuxt/schema": "^4.2.1",
+    "@nuxt/test-utils": "^3.20.1",
+    "@types/node": "latest",
+    "changelogen": "^0.6.2",
+    "eslint": "^9.39.1",
+    "nuxt": "^4.2.1",
+    "nuxt-security": "^2.5.0",
+    "typescript": "~5.9.3",
+    "vitest": "^4.0.13",
+    "vue-tsc": "^3.1.5"
+  }
+}