report-to
report-to
report-to
The report-to directive specifies a reporting endpoint for CSP violations. It works in conjunction with the Reporting-Endpoints HTTP header to define where violation reports should be sent.
Tips & Tricks
The report-to directive requires a corresponding group to be defined in the Reporting-Endpoints HTTP header to function properly.
Not all browsers support the report-to directive. Consider using report-uri as a fall back.
The report-to header is deprecated use Reporting-Endpoints to define where violation reports should be sent.
Examples
Specifies a reporting group named 'csp-endpoint' for CSP violations
Content-Security-Policy: ...; report-to csp-endpoint;Reporting-Endpoints header should be sent along with the CSP header
Reporting-Endpoints: csp-endpoint="https://report.centralcsp.com/MyEndpointID"
Example of a CSP Violation Report
When a CSP violation occurs, the browser sends a JSON report to your specified endpoint. Here's an example of what the violation report looks like:
{
"csp-report": {
"document-uri": "https://example.com/page.html",
"referrer": "",
"violated-directive": "script-src-elem",
"effective-directive": "script-src-elem",
"original-policy": "default-src 'self'; script-src 'self' https://trusted.com; report-uri /csp-endpoint",
"disposition": "enforce",
"blocked-uri": "https://malicious-site.com/script.js",
"line-number": 42,
"column-number": 8,
"source-file": "https://example.com/page.html",
"status-code": 0,
"script-sample": ""
}
}This report provides detailed information about the violation, including the blocked resource, violated directive, and where the violation occurred in your code.
Frequently Asked Questions
What is the report-to directive used for?
The report-to directive specifies a reporting group name that matches a group defined in the Report-To HTTP header or the Reporting-Endpoints header. Those headers define the reporting endpoints where CSP violation reports should be sent. For example, if your Reporting-Endpoints header defines a group named 'csp-endpoint', your CSP would use: report-to csp-endpoint
Header Configuration Required
The report-to directive only works when paired with a Report-To or Reporting-Endpoints header that configures the actual endpoint URLs and reporting parameters.
Should i use Report-To or Reporting-Endpoints header ?
The Reporting-Endpoints header is the newer version of the Report-To header. It's recommended to use Reporting-Endpoints instead of Report-To.
Report-to directive deprecation
The report-to directive is deprecated, use Reporting-Endpoints to define where violation reports should be sent.
What's the difference between report-to and report-uri?
report-to uses the newer Reporting API while report-uri uses the older CSP reporting mechanism. report-to offers more features like batching reports and retry logic, while report-uri is simpler but being phased out. For maximum browser compatibility, it's recommended to specify both directives.
Browser Support
Not all browsers support report-to yet. Using both report-to and report-uri ensures coverage across all browsers.
Does using report-to or report-uri affect the user experience?
No, neither report-to nor report-uri affects the user experience. These directives only handle the backend reporting of CSP violations and work silently in the background. Users won't notice any difference regardless of which reporting directive is used.
Background Operation
CSP violation reporting happens asynchronously and doesn't impact page loading or functionality.
Need to monitor CSP violations and maintain it easily?
Set up a reporting endpoint to monitor Content Security Policy violations in real-time to build and maintain your CSP easily.
Set up your endpoint now