Add CSP violation report endpoint

Summary

Add an API endpoint to receive and log Content Security Policy (CSP) violation reports. This is a prerequisite for implementing CSP headers in Report-Only mode.

Background

Before enabling CSP headers, we need a way to collect violation reports to:

Identify what resources would be blocked
Fine-tune the CSP policy before enforcing it
Monitor for ongoing violations in production

Implementation Details

Create /api/csp-report endpoint in the blog app that:

Accepts POST requests with CSP violation reports (JSON)
Logs violations using Pino logger
Returns appropriate response

The endpoint will be used with the report-uri CSP directive:

Content-Security-Policy-Report-Only: ...; report-uri /api/csp-report

Acceptance Criteria

Endpoint accepts POST requests at /api/csp-report
Validates incoming CSP report format
Logs violations with relevant fields (blocked-uri, violated-directive, document-uri)
Returns 204 No Content on success
Handles malformed requests gracefully

This is part of the security headers implementation. See also:

MR !779 (merged) - Add security response headers

Add CSP violation report endpoint

Summary

Background

Implementation Details

Acceptance Criteria

Related