nuxt-csp-report 1.0.0-alpha.2 → 1.0.0

package/README.md

@@ -1,176 +1,185 @@
-# Nuxt CSP Report
-
-[![npm version][npm-version-src]][npm-version-href]
-[![npm downloads][npm-downloads-src]][npm-downloads-href]
-[![License][license-src]][license-href]
-[![Nuxt][nuxt-src]][nuxt-href]
-
-A Nuxt module for collecting, normalizing, and persisting Content Security Policy (CSP) reports.
-
-[✨ Release Notes](/CHANGELOG.md)
-
-## What is CSP and CSP reports?
-
-The CSP is a HTTP response header that allows you to control which resources a document is allowed to load. For example setting `Content-Security-Policy: script-src example.com;` will prevent any script tag from loading a source that is not from `example.com`. Any violation will be logged in the console of the browser. Additionally, a reporting endpoint can be set in the CSP header where the browser will send the CSP report to.
-
-Once you decide to secure your website with CSP, you most likely want to analyze on production if your CSP headers are configured properly. That can be tricky the more external resources are loaded. Especially dynamically loaded scripts, e.g. depending on your country or your consent, are not always the same for every user. That's where the CSP reports are helpful, because they show the real CSP violations that users experience in their browsers.
-
-## Features
-
-- 📋 Registers a POST endpoint for CSP reports
-- 📡 Adds the `Reporting-Endpoints` header to your responses for `report-to` support
-- 🔄 Supports both legacy `report-uri` and `report-to` format reports
-- ✅ Validates and normalizes reports with Zod
-- 💾 Persists reports via unstorage
-- 📝 Full TypeScript support with proper type exports
-
-## Quick Setup
-
-Install the module to your Nuxt application:
-
-```bash
-npm install nuxt-csp-report
-```
-
-Add it to your `nuxt.config.ts`:
-
-```typescript
-export default defineNuxtConfig({
-  modules: ['nuxt-csp-report'],
-  cspReport: {
-    //  Module options
-  },
-})
-```
-
-## Usage
-
-The module is ready to go with the defaults.
-In most use cases simple logs are sufficient. If you want to analyze CSP reports, you can use the `storage` option to persist the reports in a KV store. 
-
-### nuxt-security
-
-The Content Security Policy is set through specific headers. You can handle that yourself with Nuxt/Nitro, but I highly recommend using [nuxt-security](https://github.com/Baroshem/nuxt-security). 
-Here is a minimal example of how to use the two moduls in combination:
-
-```typescript
-export default defineNuxtConfig({
-  modules: ['nuxt-security', 'nuxt-csp-report'],
-  security: {
-    headers: {
-      contentSecurityPolicy: {
-        'report-uri': '/api/csp-report',
-        // your CSP headers
-      },
-    },
-  },
-})
-```
-
-### Advanced: Access reports
-
-Depending on your use case you might want to access the CSP reports. You can do that with `useStorage`:
-
-```typescript
-export default defineNuxtConfig({
-  modules: ['nuxt-csp-report'],
-  cspReport: {
-    storage: {
-      driver: {
-        name: 'redis',
-        options: {
-          // Your redis configuration
-        } 
-      }
-    },
-  },
-})
-```
-
-```typescript
-import  { type NormalizedCspReport } from 'nuxt-csp-report'
-
-const storage = useStorage<NormalizedCspReport>('csp-report-storage')
-```
-
-## Options
-
-### endpoint
-* Type: `string`
-* Default: `/api/csp-report`
-* Description: Optional. Path for the CSP report endpoint.
-
-### reportingEndpointsHeader 
-* Type: `boolean`
-* Default: `false`
-* Description: Optional. Adds the `Reporting-Endpoints` header to your HTML responses, using `'csp-endpoint'` as the key and `endpoint` from the configuration as the value. This header is needed if you want to use `report-to csp-endpoint` in your CSP configuration.
-
-### console 
-* Type: `'summary' | 'full' | false`
-* Default: `'summary'`
-* Description: Optional. Log reports to console on server. `'full'` will print the `NormalizedCspReport` object.
-
-### storage
-* Type: See fields below.
-* Description: Optional. Sets up a storage using `unstorage`, which is part of Nitro and Nuxt.
-
-### storage.driver
-* Type: `BuiltinDriverOptions`
-* Description: Defines the driver from `unstorage`. You can use the same notation and drivers as in Nuxt:
-  * https://nuxt.com/docs/4.x/directory-structure/server#server-storage
-  * https://nitro.build/guide/storage
-  * https://unstorage.unjs.io/drivers
-
-### storage.keyPrefix 
-* Type: `string`
-* Default: `csp-report`
-* Description: Optional. Key prefix for the stored reports.
-
-
-## Contribution
-
-<details>
-  <summary>Local development</summary>
-  
-  ```bash
-  # Install dependencies
-  pnpm install
-  
-  # Generate type stubs
-  pnpm run dev:prepare
-  
-  # Develop with the playground
-  pnpm run dev
-  
-  # Build the playground
-  pnpm run dev:build
-  
-  # Run ESLint
-  pnpm run lint
-  
-  # Run Vitest
-  pnpm run test
-  pnpm run test:watch
-  
-  # Build the module
-  pnpm run prepack
-  
-  # Release new version
-  pnpm run release
-  ```
-
-</details>
-
-
-<!-- Badges -->
-[npm-version-src]: https://img.shields.io/npm/v/nuxt-csp-report/latest.svg?style=flat&colorA=020420&colorB=00DC82
-[npm-version-href]: https://npmjs.com/package/nuxt-csp-report
-
-[npm-downloads-src]: https://img.shields.io/npm/dm/nuxt-csp-report.svg?style=flat&colorA=020420&colorB=00DC82
-[npm-downloads-href]: https://npm.chart.dev/nuxt-csp-report
-
-[license-src]: https://img.shields.io/npm/l/nuxt-csp-report.svg?style=flat&colorA=020420&colorB=00DC82
-[license-href]: https://npmjs.com/package/nuxt-csp-report
-
-[nuxt-src]: https://img.shields.io/badge/Nuxt-020420?logo=nuxt.js
-[nuxt-href]: https://nuxt.com
+# Nuxt CSP Report
+
+[![npm version][npm-version-src]][npm-version-href]
+[![npm downloads][npm-downloads-src]][npm-downloads-href]
+[![License][license-src]][license-href]
+[![Nuxt][nuxt-src]][nuxt-href]
+
+A Nuxt module for collecting, normalizing, and persisting Content Security Policy (CSP) reports.
+
+**Compatibility:** Nuxt 3 (3.12.0 and newer) and Nuxt 4.
+
+[✨&nbsp;Release Notes](/CHANGELOG.md)
+
+## What is CSP and CSP reports?
+
+The CSP is a HTTP response header that allows you to control which resources a document is allowed to load. For example setting `Content-Security-Policy: script-src example.com;` will prevent any script tag from loading a source that is not from `example.com`. Any violation will be logged in the console of the browser. Additionally, a reporting endpoint can be set in the CSP header where the browser will send the CSP report to.
+
+Once you decide to secure your website with CSP, you most likely want to analyze on production if your CSP headers are configured properly. That can be tricky the more external resources are loaded. Especially dynamically loaded scripts, e.g. depending on your country or your consent, are not always the same for every user. That's where the CSP reports are helpful, because they show the real CSP violations that users experience in their browsers.
+
+## Features
+
+- 📋 Registers a POST endpoint for CSP reports
+- 📡 Adds the `Reporting-Endpoints` header to your responses for `report-to` support
+- 🔄 Supports both legacy `report-uri` and `report-to` format reports
+- ✅ Validates and normalizes reports with Zod
+- 💾 Persists reports via unstorage
+- 📝 Full TypeScript support with proper type exports
+
+## Quick Setup
+
+Install the module to your Nuxt application:
+
+```bash
+npm install nuxt-csp-report
+```
+
+Add it to your `nuxt.config.ts`:
+
+```typescript
+export default defineNuxtConfig({
+  modules: ['nuxt-csp-report'],
+  cspReport: {
+    //  Module options
+  },
+})
+```
+
+## Examples
+
+* Minimal starter: [![Open in StackBlitz](https://developer.stackblitz.com/img/open_in_stackblitz_small.svg)](https://stackblitz.com/github/Gonzo17/nuxt-csp-report/tree/main/examples/minimal?file=nuxt.config.ts)
+  * Source: [examples/minimal/nuxt.config.ts](examples/minimal/nuxt.config.ts) and [examples/minimal/app.vue](examples/minimal/app.vue). 
+  * StackBlitz runs inside an iframe; the example CSP allows `frame-ancestors` for `*.stackblitz.io`, `*.webcontainer.io`, and `*.local-credentialless.webcontainer.io`.
+* Playground (used for development): [playground/nuxt.config.ts](playground/nuxt.config.ts) with nuxt-security defaults and extra logging.
+
+## Usage
+
+The module is ready to go with the defaults.
+In most use cases simple logs are sufficient. If you want to analyze CSP reports, you can use the `storage` option to persist the reports in a KV store.
+
+### nuxt-security
+
+The Content Security Policy is set through specific headers. You can handle that yourself with Nuxt/Nitro, but I highly recommend using [nuxt-security](https://github.com/Baroshem/nuxt-security).
+Here is a minimal example of how to use the two moduls in combination:
+
+```typescript
+export default defineNuxtConfig({
+  modules: ['nuxt-security', 'nuxt-csp-report'],
+  security: {
+    headers: {
+      contentSecurityPolicy: {
+        'report-uri': '/api/csp-report',
+        // your CSP headers
+      },
+    },
+  },
+})
+```
+
+### Advanced: Access reports
+
+Depending on your use case you might want to access the CSP reports. You can do that with `useStorage`:
+
+```typescript
+export default defineNuxtConfig({
+  modules: ['nuxt-csp-report'],
+  cspReport: {
+    storage: {
+      driver: {
+        name: 'redis',
+        options: {
+          // Your redis configuration
+        }
+      }
+    },
+  },
+})
+```
+
+```typescript
+import  { type NormalizedCspReport } from 'nuxt-csp-report'
+
+const storage = useStorage<NormalizedCspReport>('csp-report-storage')
+```
+
+## Options
+
+### endpoint
+* Type: `string`
+* Default: `/api/csp-report`
+* Description: Optional. Path for the CSP report endpoint.
+
+### reportingEndpointsHeader
+* Type: `boolean`
+* Default: `false`
+* Description: Optional. Adds the `Reporting-Endpoints` header to your HTML responses, using `'csp-endpoint'` as the key and `endpoint` from the configuration as the value. This header is needed if you want to use `report-to csp-endpoint` in your CSP configuration.
+
+### console
+* Type: `'summary' | 'full' | false`
+* Default: `'summary'`
+* Description: Optional. Log reports to console on server. `'full'` will print the `NormalizedCspReport` object.
+
+### storage
+* Type: See fields below.
+* Description: Optional. Sets up a storage using `unstorage`, which is part of Nitro and Nuxt.
+
+### storage.driver
+* Type: `BuiltinDriverOptions`
+* Description: Defines the driver from `unstorage`. You can use the same notation and drivers as in Nuxt:
+  * https://nuxt.com/docs/4.x/directory-structure/server#server-storage
+  * https://nitro.build/guide/storage
+  * https://unstorage.unjs.io/drivers
+
+### storage.keyPrefix
+* Type: `string`
+* Default: `csp-report`
+* Description: Optional. Key prefix for the stored reports.
+
+
+## Contribution
+
+<details>
+  <summary>Local development</summary>
+
+  ```bash
+  # Install dependencies
+  pnpm install
+
+  # Generate type stubs
+  pnpm dev:prepare
+
+  # Develop with the playground
+  pnpm dev
+
+  # Build the playground
+  pnpm dev:build
+
+  # Run ESLint
+  pnpm lint
+
+  # Run Vitest
+  pnpm test
+  pnpm test:watch
+
+  # Build the module
+  pnpm prepack
+
+  # Release new version
+  pnpm release
+  ```
+
+</details>
+
+
+<!-- Badges -->
+[npm-version-src]: https://img.shields.io/npm/v/nuxt-csp-report/latest.svg?style=flat&colorA=020420&colorB=00DC82
+[npm-version-href]: https://npmjs.com/package/nuxt-csp-report
+
+[npm-downloads-src]: https://img.shields.io/npm/dm/nuxt-csp-report.svg?style=flat&colorA=020420&colorB=00DC82
+[npm-downloads-href]: https://npm.chart.dev/nuxt-csp-report
+
+[license-src]: https://img.shields.io/npm/l/nuxt-csp-report.svg?style=flat&colorA=020420&colorB=00DC82
+[license-href]: https://npmjs.com/package/nuxt-csp-report
+
+[nuxt-src]: https://img.shields.io/badge/Nuxt-020420?logo=nuxt.js
+[nuxt-href]: https://nuxt.com

package/dist/module.json

@@ -1,7 +1,7 @@
 {
   "name": "nuxt-csp-report",
   "configKey": "cspReport",
-  "version": "1.0.0-alpha.2",
+  "version": "1.0.0",
   "builder": {
     "@nuxt/module-builder": "1.0.2",
     "unbuild": "3.6.1"

package/dist/runtime/server/api/csp-report.post.js

@@ -1,4 +1,4 @@
-import { useRuntimeConfig, useStorage, readBody, defineEventHandler } from "#imports";
+import { useRuntimeConfig, useStorage, readBody, defineEventHandler, setResponseStatus } from "#imports";
 import { normalizeCspReport } from "../utils/normalizeCspReport.js";
 import { formatCspLog } from "../utils/formatCspLog.js";
 const runtimeConfig = useRuntimeConfig();
@@ -27,6 +27,7 @@ export default defineEventHandler(async (event) => {
     return { ok: true };
   } catch (err) {
     console.error("[nuxt-csp-report]", err);
-    return { ok: true };
+    setResponseStatus(event, 500);
+    return { ok: false };
   }
 });

package/dist/runtime/server/utils/normalizeCspReport.d.ts

@@ -41,7 +41,7 @@ declare const reportToEntrySchema: z.ZodObject<{
     url: z.ZodString;
     user_agent: z.ZodString;
 }, z.core.$loose>;
-declare const reportToSchema: z.ZodArray<z.ZodObject<{
+declare const _reportToSchema: z.ZodArray<z.ZodObject<{
     age: z.ZodNumber;
     body: z.ZodObject<{
         blockedURL: z.ZodString;
@@ -64,6 +64,6 @@ declare const reportToSchema: z.ZodArray<z.ZodObject<{
     user_agent: z.ZodString;
 }, z.core.$loose>>;
 export type ReportToEntryFormat = z.infer<typeof reportToEntrySchema>;
-export type ReportToFormat = z.infer<typeof reportToSchema>;
+export type ReportToFormat = z.infer<typeof _reportToSchema>;
 export declare function normalizeCspReport(input: unknown): NormalizedCspReport[];
 export {};

package/dist/runtime/server/utils/normalizeCspReport.js

@@ -32,42 +32,45 @@ const reportToEntrySchema = z.object({
   type: z.string(),
   url: z.string(),
   user_agent: z.string()
-}).passthrough();
-const reportToSchema = reportToEntrySchema.array();
+}).loose();
+const _reportToSchema = reportToEntrySchema.array();
 export function normalizeCspReport(input) {
-  if (!input) {
-    return [];
+  if (!input) return [];
+  if (typeof input === "object" && input !== null && "csp-report" in input) {
+    const parsed = reportUriSchema.safeParse(input);
+    if (!parsed.success) return [];
+    const report = parsed.data["csp-report"];
+    return [{
+      raw: parsed.data,
+      timestamp: Date.now(),
+      documentURL: report["document-uri"],
+      blockedURL: report["blocked-uri"],
+      directive: report["violated-directive"],
+      sourceFile: report["source-file"],
+      line: report["line-number"],
+      disposition: report["disposition"]
+    }];
   }
-  try {
-    if (typeof input === "object" && "csp-report" in input) {
-      const parsed = reportUriSchema.parse(input);
-      return [{
-        raw: parsed,
+  if (Array.isArray(input)) {
+    const reports = [];
+    for (const entry of input) {
+      const parsed = reportToEntrySchema.safeParse(entry);
+      if (!parsed.success) continue;
+      if (parsed.data.type !== "csp-violation") continue;
+      const { body } = parsed.data;
+      reports.push({
+        raw: parsed.data,
         timestamp: Date.now(),
-        documentURL: parsed["csp-report"]["document-uri"],
-        blockedURL: parsed["csp-report"]["blocked-uri"],
-        directive: parsed["csp-report"]["violated-directive"],
-        sourceFile: parsed["csp-report"]["source-file"],
-        line: parsed["csp-report"]["line-number"],
-        disposition: parsed["csp-report"]["disposition"]
-      }];
-    }
-    if (Array.isArray(input)) {
-      const parsed = reportToSchema.parse(input);
-      return parsed.map((item) => {
-        return {
-          raw: item,
-          timestamp: Date.now(),
-          documentURL: item.body.documentURL,
-          blockedURL: item.body.blockedURL,
-          directive: item.body.effectiveDirective,
-          sourceFile: item.body.sourceFile,
-          line: item.body.lineNumber,
-          disposition: item.body.disposition
-        };
+        documentURL: body.documentURL,
+        blockedURL: body.blockedURL,
+        directive: body.effectiveDirective,
+        sourceFile: body.sourceFile,
+        line: body.lineNumber,
+        column: body.columnNumber,
+        disposition: body.disposition
       });
     }
-  } catch {
+    return reports;
   }
   return [];
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nuxt-csp-report",
-  "version": "1.0.0-alpha.2",
+  "version": "1.0.0",
   "description": "A Nuxt module for collecting, normalizing, and persisting Content Security Policy reports",
   "repository": {
     "type": "git",
@@ -35,17 +35,6 @@
   "files": [
     "dist"
   ],
-  "scripts": {
-    "prepack": "nuxt-module-build build",
-    "dev": "npm run dev:prepare && nuxi dev playground",
-    "dev:build": "nuxi build playground",
-    "dev:prepare": "nuxt-module-build build --stub && nuxt-module-build prepare && nuxi prepare playground",
-    "release": "npm run lint && npm run test && npm run prepack && changelogen --release --prerelease alpha && npm publish --tag alpha && git push --follow-tags",
-    "lint": "eslint .",
-    "test": "vitest run",
-    "test:watch": "vitest watch",
-    "test:types": "vue-tsc --noEmit && cd playground && vue-tsc --noEmit"
-  },
   "dependencies": {
     "@nuxt/kit": "^4.2.2",
     "defu": "^6.1.4",
@@ -66,5 +55,18 @@
     "typescript": "~5.9.3",
     "vitest": "^4.0.16",
     "vue-tsc": "^3.2.1"
+  },
+  "peerDependencies": {
+    "nuxt": ">=3.12.0 <5"
+  },
+  "scripts": {
+    "dev": "pnpm dev:prepare && nuxi dev playground",
+    "dev:build": "nuxi build playground",
+    "dev:prepare": "nuxt-module-build build --stub && nuxt-module-build prepare && nuxi prepare playground",
+    "release": "pnpm lint && pnpm test && pnpm prepack && changelogen --release && pnpm publish && git push --follow-tags",
+    "lint": "eslint .",
+    "test": "vitest run",
+    "test:watch": "vitest watch",
+    "test:types": "vue-tsc --noEmit && cd playground && vue-tsc --noEmit"
   }
 }