Add config option for report URI in CSP

README.md

@@ -207,6 +207,7 @@ There are some config settings you need to change in the files below.
 | `HMD_HSTS_MAX_AGE` | `31536000` | max duration in seconds to tell clients to keep HSTS status (default is a year) |
 | `HMD_HSTS_PRELOAD` | `true` | whether to allow preloading of the site's HSTS status (e.g. into browsers) |
 | `HMD_CSP_ENABLE` | `true` | whether to enable Content Security Policy (directives cannot be configured with environment variables) |
+| `HMD_CSP_REPORTURI` | `https://<someid>.report-uri.com/r/d/csp/enforce` | Allows to add a URL for CSP reports in case of violations |
 
 ## Application settings `config.json`
 

lib/config/default.js

@@ -18,7 +18,8 @@ module.exports = {
     directives: {
     },
     addDefaults: true,
-    upgradeInsecureRequests: 'auto'
+    upgradeInsecureRequests: 'auto',
+    reportURI: undefined
   },
   protocolusessl: false,
   usecdn: true,

lib/config/environment.js

@@ -15,7 +15,8 @@ module.exports = {
     preload: toBooleanConfig(process.env.HMD_HSTS_PRELOAD)
   },
   csp: {
-    enable: toBooleanConfig(process.env.HMD_CSP_ENABLE)
+    enable: toBooleanConfig(process.env.HMD_CSP_ENABLE),
+    reportURI: process.env.HMD_CSP_REPORTURI
   },
   protocolusessl: toBooleanConfig(process.env.HMD_PROTOCOL_USESSL),
   alloworigin: toArrayConfig(process.env.HMD_ALLOW_ORIGIN),

lib/csp.js

@@ -30,6 +30,7 @@ CspStrategy.computeDirectives = function () {
     addInlineScriptExceptions(directives)
   }
   addUpgradeUnsafeRequestsOptionTo(directives)
+  addReportURI(directives)
   return directives
 }
 
@@ -72,6 +73,12 @@ function addUpgradeUnsafeRequestsOptionTo (directives) {
   }
 }
 
+function addReportURI (directives) {
+  if (config.csp.reportURI) {
+    directives.reportUri = config.csp.reportURI
+  }
+}
+
 CspStrategy.addNonceToLocals = function (req, res, next) {
   res.locals.nonce = uuid.v4()
   next()