Deprecated: This feature has been deprecated and may be removed in future versions. It is recommended to use alternative approaches.

Important : The Report-To header is being deprecated. For CSP reporting, you should use either the Reporting-Endpoints header with the report-to directive or the legacy report-uri directive. Both must be delivered via HTTP headers and cannot be implemented using meta tags. See our CSP Meta Tags article for more details.

Report-To HTTP Header

The Report-To HTTP response header was a mechanism that allowed website administrators to define endpoints where browsers should send reports about security policy violations and other browser-level issues. It worked alongside Content Security Policy and other security headers to provide visibility into security events happening in users' browsers.

Understanding Report-To

The Report-To header defined named groups of reporting endpoints that could be referenced by other security headers. This created a centralized way to manage where different types of security reports would be sent.

Basic Report-To header configuration

Report-To: { "group": "csp-endpoints", "max_age": 86400, "endpoints": [ { "url": "https://report.centralcsp.com/<myendpoint>" } ] }

When used with Content Security Policy, the report-to directive would reference a group name defined in the Report-To header:

Report-To header working with CSP

HTTP/1.1 200 OK
Content-Type: text/html
Report-To: { "group": "csp-endpoints", "max_age": 10886400, "endpoints": [ { "url": "https://report.centralcsp.com/<myendpoint>" } ] }
Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted-scripts.com; report-to csp-endpoints

Monitor CSP violations effectively

Get comprehensive visibility into security policy violations with our centralized reporting platform.

Try CentralCSP with a 14 days free trial

Integration with Security Headers

The Report-To header was designed to work with security features:

Content Security Policy (CSP)

CSP could use the report-to directive to specify which endpoint group should receive violation reports:

CSP using report-to directive

Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted-cdn.com; report-to csp-endpoints

Real-World Implementation Example

Here's a comprehensive example showing how Report-To could be used with security headers:

Comprehensive security headers with Report-To

HTTP/1.1 200 OK
Content-Type: text/html
Report-To: {
  "group": "security-endpoints",
  "max_age": 10886400,
  "endpoints": [
          { "url": "https://report.centralcsp.com/<myendpoint>" },
  ]
}
Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted-cdn.com; report-to security-endpoints

In this example, all security violations would be reported to the same endpoint group.

Report Format

When a CSP violation occurred, the browser would send a JSON report to the specified endpoint. Here's an example of what a CSP violation report looked like:

Example CSP violation report

{
"type": "csp-violation",
"age": 10,
"url": "https://example.com/page.html",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
"body": {
  "blocked-uri": "https://malicious-site.com/script.js",
  "disposition": "enforce",
  "document-uri": "https://example.com/page.html",
  "effective-directive": "script-src",
  "original-policy": "default-src 'self'; script-src 'self' https://trusted-cdn.com; report-to security-endpoints",
  "referrer": "",
  "status-code": 0,
  "violated-directive": "script-src"
}
}

Report Processing

These reports could be collected and analyzed to identify security issues, malicious attacks, or configuration problems in your security policies.

Deprecation and Replacement

Important

The Report-To HTTP header is now deprecated. Modern web applications should use the Reporting-Endpoints header instead.

The functionality of Report-To has been replaced by the Reporting-Endpoints header, which offers a simpler syntax:

Modern Reporting-Endpoints syntax

Reporting-Endpoints: csp-endpoint="https://report.centralcsp.com/myendpoint", default="https://report.centralcsp.com/default"
Content-Security-Policy: default-src 'self'; report-to csp-endpoint

Transitioning from Report-To to Reporting-Endpoints

If you're updating an existing implementation, here's how to transition:

Transitioning to Reporting-Endpoints

# Old approach with Report-To
Report-To: { "group": "csp-endpoints", "max_age": 86400, "endpoints": [ { "url": "https://report.centralcsp.com/myendpoint" } ] }
Content-Security-Policy: default-src 'self'; report-to csp-endpoints

# New approach with Reporting-Endpoints
Reporting-Endpoints: csp-endpoints="https://report.centralcsp.com/myendpoint"
Content-Security-Policy: default-src 'self'; report-to csp-endpoints

Related Resources

Conclusion

While the Report-To header has been deprecated, understanding its purpose and relationship with security headers provides valuable context for implementing modern reporting with the Reporting-Endpoints header. Proper reporting configuration remains essential for monitoring security policy violations and maintaining a robust security posture for your web applications.

Previous doc

CSP-Report-Only

Next doc

Reporting Endpoints