feat: Add CSP violation report endpoint

gandalf_automationrequested to merge
add-csp-report-endpoint into develop

Summary

Add /api/csp-report endpoint to receive and log Content Security Policy violation reports from browsers.

Closes #780 (closed)

Details

This endpoint:

  • Accepts POST requests with CSP violation reports (JSON format per W3C CSP3 spec)
  • Validates the incoming report structure
  • Logs violations using Pino logger with relevant fields for analysis
  • Returns 204 No Content on success

Why This Is Needed

Before enabling CSP headers, we need a way to collect violation reports to:

  1. Identify what resources would be blocked by the CSP policy
  2. Fine-tune the policy before enforcing it
  3. Monitor for ongoing violations in production

The endpoint will be used with the report-uri CSP directive:

Content-Security-Policy-Report-Only: ...; report-uri /api/csp-report

Files Changed

  • apps/blog/app/api/csp-report/route.ts - new API endpoint

Test Plan

  • Deploy to staging
  • Test with curl: 
    curl -X POST https://staging-url/api/csp-report \
  -H "Content-Type: application/json" \
  -d '{"csp-report":{"blocked-uri":"https://test.com","violated-directive":"script-src"}}'
  • Verify logs contain the CSP violation entry
  • Verify 204 response on valid report
  • Verify 400 response on invalid format

Merge request reports