{"id":14611957,"url":"https://github.com/wille/reporting-api","last_synced_at":"2026-04-10T10:03:43.079Z","repository":{"id":250131788,"uuid":"829350361","full_name":"wille/reporting-api","owner":"wille","description":"CSP Reporting Server","archived":false,"fork":false,"pushed_at":"2026-02-08T23:15:51.000Z","size":68,"stargazers_count":6,"open_issues_count":1,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2026-02-09T04:53:34.364Z","etag":null,"topics":["content-security-policy","csp","express","nodejs","reporting","webappsec"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/wille.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2024-07-16T08:55:18.000Z","updated_at":"2026-02-08T23:15:54.000Z","dependencies_parsed_at":"2025-04-12T07:01:34.842Z","dependency_job_id":null,"html_url":"https://github.com/wille/reporting-api","commit_stats":null,"previous_names":["wille/reporting-api"],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/wille/reporting-api","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wille%2Freporting-api","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wille%2Freporting-api/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wille%2Freporting-api/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wille%2Freporting-api/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/wille","download_url":"https://codeload.github.com/wille/reporting-api/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wille%2Freporting-api/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31637749,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-10T07:40:12.752Z","status":"ssl_error","status_checked_at":"2026-04-10T07:40:11.664Z","response_time":98,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["content-security-policy","csp","express","nodejs","reporting","webappsec"],"created_at":"2024-09-09T02:00:56.235Z","updated_at":"2026-04-10T10:03:43.067Z","avatar_url":"https://github.com/wille.png","language":"TypeScript","funding_links":[],"categories":["Web Framework Hardening"],"sub_categories":[],"readme":"# reporting-api\n\n[![npm](https://img.shields.io/npm/v/reporting-api?style=flat-square)](https://www.npmjs.com/package/reporting-api)\n[![license](https://img.shields.io/npm/l/reporting-api?style=flat-square)](https://github.com/wille/reporting-api/blob/master/LICENSE)\n\nExpress.js middleware for the [Reporting API](https://w3c.github.io/reporting/). Automatically wires up `report-to` / `report-uri` on your existing policy headers and gives you a ready-made endpoint to collect violation, deprecation, crash, and network error reports.\n\n## Supported headers and report types\n\n| Header | Shorthand |\n|--------|-----------|\n| [`Content-Security-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) | CSP |\n| [`Content-Security-Policy-Report-Only`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only) | |\n| [`Cross-Origin-Opener-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy) | COOP |\n| [`Cross-Origin-Opener-Policy-Report-Only`](https://github.com/camillelamy/explainers/blob/main/coop_reporting.md) | |\n| [`Cross-Origin-Embedder-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy) | COEP |\n| [`Cross-Origin-Embedder-Policy-Report-Only`](https://gist.github.com/yutakahirano/f14f15bd1595e1e913b0870649000470) | |\n| [`Permissions-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Permissions_Policy) | |\n| [`Permissions-Policy-Report-Only`](https://github.com/w3c/webappsec-permissions-policy/blob/main/reporting.md) | |\n| [`NEL` (Network Error Logging)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Network_Error_Logging) | NEL |\n\nPlus [Deprecation](https://wicg.github.io/deprecation-reporting/), [Intervention](https://wicg.github.io/intervention-reporting/), and [Crash](https://wicg.github.io/crash-reporting/) reports.\n\nBackwards-compatible with CSP Level 2 `report-uri` for browsers that don't yet support the Reporting API.\n\n## Install\n\n```bash\nnpm install reporting-api\n```\n\nPeer dependencies: `express`, `zod`, `debug`.\n\n## Quick start\n\n```ts\nimport express from 'express';\nimport { reportingEndpoint, setupReportingHeaders } from 'reporting-api';\n\nconst app = express();\n\n// 1. Mount the reporting endpoint\napp.use('/reporting-endpoint', reportingEndpoint({\n  allowedOrigins: '*',\n  onReport(report) {\n    console.log(report.type, report.body);\n  },\n}));\n\n// 2. Set your policy headers, then let the middleware attach reporters\napp.use((req, res, next) =\u003e {\n  res.setHeader('Content-Security-Policy', \"script-src 'self'\");\n  res.setHeader('Cross-Origin-Opener-Policy', 'same-origin');\n  res.setHeader('Cross-Origin-Embedder-Policy', 'require-corp');\n  next();\n});\napp.use(setupReportingHeaders('/reporting-endpoint'));\n\napp.listen(8080);\n```\n\n\u003e [!NOTE]\n\u003e Policy headers must be set **before** `setupReportingHeaders` runs so the middleware can append `report-to` and `report-uri` directives to them.\n\nThe resulting response headers will look like this:\n\n```\nReporting-Endpoints: reporter=\"/reporting-endpoint\"\nContent-Security-Policy: script-src 'self';report-uri /reporting-endpoint?disposition=enforce;report-to reporter\nCross-Origin-Opener-Policy: same-origin;report-to=\"reporter\"\nCross-Origin-Embedder-Policy: require-corp;report-to=\"reporter\"\n```\n\n## API\n\n### `reportingEndpoint(config)`\n\nReturns Express middleware that accepts incoming reports.\n\n| Option | Type | Description |\n|--------|------|-------------|\n| `onReport` | `(report, req) =\u003e void` | Called for every valid report. |\n| `onValidationError` | `(error, body, req) =\u003e void` | Called when a report fails Zod validation. |\n| `allowedOrigins` | `string \\| RegExp \\| Array` | Enable CORS for cross-origin reports. Use `'*'` to allow any origin. |\n| `ignoreBrowserExtensions` | `boolean` | Drop CSP violations originating from browser extensions. |\n| `ignoredDeprecationIds` | `string[]` | Deprecation report IDs to ignore (e.g. `['AttributionReporting', 'Topics']`). |\n| `maxAge` | `number` | Maximum report age in **seconds**. Older buffered reports are dropped. |\n| `debug` | `boolean` | Enable `debug` logging for the `reporting-api:*` namespace. |\n\n### `setupReportingHeaders(url, config?)`\n\nReturns Express middleware that appends `report-to` / `report-uri` to every policy header already set on the response and adds the `Reporting-Endpoints` header.\n\n| Option | Type | Default | Description |\n|--------|------|---------|-------------|\n| `reportingGroup` | `string` | `\"reporter\"` | Reporting group name. |\n| `enableDefaultReporters` | `boolean` | `false` | Use the `default` group so you also receive Deprecation, Crash, and Intervention reports. |\n| `enableNetworkErrorLogging` | `boolean \\| object` | `false` | Add `Report-To` + `NEL` headers (Reporting API v0, required for NEL). Accepts `{ success_fraction, failure_fraction, include_subdomains }`. |\n| `version` | `string \\| number` | — | Appended as a `?version=` query param so you can correlate reports with policy revisions. |\n\n## Report schema\n\nEvery report delivered to `onReport` is validated with Zod and has the shape:\n\n```ts\n{\n  type: 'csp-violation' | 'coop' | 'coep' | 'deprecation' | 'crash'\n       | 'intervention' | 'network-error' | 'permissions-policy-violation'\n       | 'potential-permissions-policy-violation';\n  body: { /* type-specific fields */ };\n  url: string;\n  age: number;\n  user_agent: string;\n  report_format: 'report-uri' | 'report-to' | 'report-to-safari';\n  version?: string;\n}\n```\n\nFull type definitions are exported as `Report` and the individual body types (`ContentSecurityPolicyReport`, `CrossOriginOpenerPolicyReport`, etc.).\n\n## Client-side observing\n\nReports can also be observed in the browser via [ReportingObserver](https://developer.mozilla.org/en-US/docs/Web/API/ReportingObserver):\n\n```js\nif (typeof ReportingObserver !== 'undefined') {\n  new ReportingObserver((reports) =\u003e {\n    reports.forEach(r =\u003e console.log(r.body));\n  }).observe();\n}\n```\n\n## Resources\n\n- [Reporting API v1 spec (Reporting-Endpoints)](https://w3c.github.io/reporting/)\n- [Reporting API v0 spec (Report-To)](https://www.w3.org/TR/reporting/)\n- [Migrating from v0 to v1](https://developer.chrome.com/blog/reporting-api-migration)\n- [v0 vs v1 differences (Chromium)](https://chromium.googlesource.com/chromium/src/+/HEAD/net/reporting/README.md#supporting-both-v0-and-v1-reporting-in-the-same-codebase)\n- [Permissions-Policy reporting](https://github.com/w3c/webappsec-permissions-policy/blob/main/reporting.md)\n\n### Notes\n\n- `Permissions-Policy` reports to the `default` group when `report-to` is not set.\n- COOP and COEP require `report-to` values wrapped in double quotes (e.g. `report-to=\"group\"`).\n- Safari sends reports as `{ body: { ... } }` instead of an array and omits `age`.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwille%2Freporting-api","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwille%2Freporting-api","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwille%2Freporting-api/lists"}