Bugfix/coep default header value

[jamie-taylor-rjj]

Rationale for this PR

This PR adds the Reporting-Endpoints header, configuration for it, updates the relevant documentation, and increases the version number.

This PR closes #170

The following is a minimal code sample for the new feature:

// in Program.cs
var reportingEndpoints =
    new Dictionary<string, Uri> {
        { "standard", new Uri("https://localhost:5000/reporting-endpoint") }
    };
var secureHeadersMiddlewareConfig = SecureHeadersMiddlewareBuilder.CreateBuilder()
    .UseReportingEndpointsPolicy(reportingEndpoints)
    .Build();
app.UseSecureHeadersMiddleware(secureHeadersMiddlewareConfig);

PR Checklist

Feel free to either check the following items (by place an x inside of the square brackets) or by replacing the square brackets with a relevant emoji from the following list:

• ✅ to indicate that you have checked something off
• ❎ to indicate that you haven't checked something off
• ❓ to indicate that something might not be relevant (writing tests for documentation changes, for instance)

Essential

These items are essential and must be completed for each commit. If they are not completed, the PR may not be accepted.

• [ ✅ ] I have added tests to the OwaspHeaders.Core.Tests project
• [ ✅ ] I have run the dotnet-format command and fixed any .editorconfig issues
• [ ✅ ] I have ensured that the code coverage has not dropped below 65%
• [ ✅ ] I have increased the version number in OwaspHeaders.Core.csproj (only relevant for code changes)

Optional

• [ ✅ ] I have documented the new feature in the docs directory
• [ ✅ ] I have provided a code sample, showing how someone could use the new code

Any Other Information

This PR adds experimental functionality. Depending on feedback, it might not be closed.

[Copilot]

Pull Request Overview

This PR implements support for the experimental Reporting-Endpoints HTTP header, which allows website administrators to specify endpoints for receiving reports from the browser's Reporting API. The header is intended to work with Content Security Policy (CSP) and other security policies that can generate violation reports.

• Adds ReportingEndpointsPolicy model with configuration and header value generation
• Implements middleware support for the new header with UseReportingEndpointsPolicy extension method
• Updates CSP configuration to support the modern report-to directive alongside the deprecated report-uri

Reviewed Changes

Copilot reviewed 20 out of 21 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
src/Models/ReportingEndpointsPolicy.cs	New model class for configuring Reporting-Endpoints header with endpoint name-to-URI mappings
src/Extensions/SecureHeadersMiddlewareBuilder.cs	Adds builder method for configuring Reporting-Endpoints policy and updates CSP methods
src/Models/ContentSecurityPolicyConfiguration.cs	Adds support for report-to directive and marks report-uri as obsolete
src/Extensions/StringBuilderExtensions.cs	New utility method for removing trailing characters from StringBuilder
tests/OwaspHeaders.Core.Tests/CustomHeaders/ReportingEndpointsTests.cs	Test coverage for the new Reporting-Endpoints functionality
docs/configuration/ReportingEndpoints.md	Documentation for the experimental header with appropriate warnings

[GaProgMan]

As PR #189 will likely be merged ahead of this one, we'll need a version bump on this PR.

[jamie-taylor-rjj]

Deleted the wrong branch when trying to clean up. Sorry all.