Deprecated: This feature has been deprecated and may be removed in future versions. It is recommended to use alternative approaches.
Important : The Report-To
header is being deprecated. For CSP reporting, you should use either the Reporting-Endpoints
header with the report-to
directive or the legacy report-uri
directive. Both must be delivered via HTTP headers and cannot be implemented using meta tags. See our CSP Meta Tags article for more details.
Report-To HTTP Header
TheReport-To
HTTP response header was a mechanism that allowed website administrators to define endpoints where browsers should send reports about security policy violations and other browser-level issues. It worked alongside Content Security Policy and other security headers to provide visibility into security events happening in users' browsers.
Understanding Report-To
TheReport-To
header defined named groups of reporting endpoints that could be referenced by other security headers. This created a centralized way to manage where different types of security reports would be sent.
Basic Report-To header configuration
Report-To: { "group": "csp-endpoints", "max_age": 86400, "endpoints": [ { "url": "https://report.centralcsp.com/<myendpoint>" } ] }
report-to
directive would reference a group name defined in the Report-To header:
Report-To header working with CSP
HTTP/1.1 200 OK
Content-Type: text/html
Report-To: { "group": "csp-endpoints", "max_age": 10886400, "endpoints": [ { "url": "https://report.centralcsp.com/<myendpoint>" } ] }
Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted-scripts.com; report-to csp-endpoints
Monitor CSP violations effectively
Get comprehensive visibility into security policy violations with our centralized reporting platform.
Try CentralCSP with a 14 days free trialIntegration with Security Headers
The Report-To header was designed to work with security features:Content Security Policy (CSP)
CSP could use thereport-to
directive to specify which endpoint group should receive violation reports:
CSP using report-to directive
Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted-cdn.com; report-to csp-endpoints
Real-World Implementation Example
Here's a comprehensive example showing how Report-To could be used with security headers:Comprehensive security headers with Report-To
HTTP/1.1 200 OK
Content-Type: text/html
Report-To: {
"group": "security-endpoints",
"max_age": 10886400,
"endpoints": [
{ "url": "https://report.centralcsp.com/<myendpoint>" },
]
}
Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted-cdn.com; report-to security-endpoints
Report Format
When a CSP violation occurred, the browser would send a JSON report to the specified endpoint. Here's an example of what a CSP violation report looked like:Example CSP violation report
{
"type": "csp-violation",
"age": 10,
"url": "https://example.com/page.html",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
"body": {
"blocked-uri": "https://malicious-site.com/script.js",
"disposition": "enforce",
"document-uri": "https://example.com/page.html",
"effective-directive": "script-src",
"original-policy": "default-src 'self'; script-src 'self' https://trusted-cdn.com; report-to security-endpoints",
"referrer": "",
"status-code": 0,
"violated-directive": "script-src"
}
}
Report Processing
These reports could be collected and analyzed to identify security issues, malicious attacks, or configuration problems in your security policies.
Deprecation and Replacement
Important
The Report-To HTTP header is now deprecated. Modern web applications should use the Reporting-Endpoints header instead.
Modern Reporting-Endpoints syntax
Reporting-Endpoints: csp-endpoint="https://report.centralcsp.com/myendpoint", default="https://report.centralcsp.com/default"
Content-Security-Policy: default-src 'self'; report-to csp-endpoint
Transitioning from Report-To to Reporting-Endpoints
If you're updating an existing implementation, here's how to transition:Transitioning to Reporting-Endpoints
# Old approach with Report-To
Report-To: { "group": "csp-endpoints", "max_age": 86400, "endpoints": [ { "url": "https://report.centralcsp.com/myendpoint" } ] }
Content-Security-Policy: default-src 'self'; report-to csp-endpoints
# New approach with Reporting-Endpoints
Reporting-Endpoints: csp-endpoints="https://report.centralcsp.com/myendpoint"
Content-Security-Policy: default-src 'self'; report-to csp-endpoints
Related Resources
- MDN Web Docs: Reporting-Endpoints
- Google Web Fundamentals: Reporting API
- CSP Reporting and Monitoring
Conclusion
While the Report-To header has been deprecated, understanding its purpose and relationship with security headers provides valuable context for implementing modern reporting with the Reporting-Endpoints header. Proper reporting configuration remains essential for monitoring security policy violations and maintaining a robust security posture for your web applications.