Limited Browser Support: The report-to directive is not implemented in all major browsers yet. For maximum compatibility, it's recommended to use report-uri alongside report-to or rely on report-uriif you need to ensure consistent reporting across all browsers.

report-to

The report-to directive is the modern successor to report-uri, designed to provide a more flexible and powerful way to specify endpoints for various security reporting features, including CSP violations.

How it works

When does a violation occur?

A CSP violation occurs when a browser attempts to load a resource that doesn't comply with your Content Security Policy rules. The process works as follows:
  1. The client browser requests your website from the server
  2. When the browser attempts to load a resource (script, image, etc.)
  3. The browser checks if the resource is allowed by your CSP rules
  4. If allowed, the resource loads normally
  5. If not allowed, the browser blocks the resource and sends a violation report to your specified endpoint
CSP Violation Flow

CSP reporting flow diagram

How to collect reports?

When a CSP violation occurs, the browser automatically sends a JSON report to the endpoint specified in the report-uri directive. These reports contain valuable information about the violation, including the blocked resource, the violated directive, and the page URL where the violation occurred. By analyzing these reports, you can identify and fix your CSP configuration to ensure compliance and security without affecting your users experience.
CentralCSP & Reporting

CSP reporting with centralcsp

Current Status

  • Limited browser support - not all major browsers implement report-to yet

  • Should be used alongside report-uri for maximum compatibility

How it works

The Report-To header defines a reporting endpoint group, which can then be referenced by various security features:

Report-To header configuration

Report-To: {
"group": "csp-endpoint",
"max_age": 10886400,
"endpoints": [{
  "url": "https://report.centralcsp.com/<yourID>"
}]
}
Then, in your CSP header:

CSP using report-to

Content-Security-Policy: default-src 'self'; report-to csp-endpoint;

Browser Support

Current browser support for report-to:
  • Chrome/Chromium-based browsers (Chrome, Edge, Opera)

  • Firefox: Not supported

  • Safari: Not supported

Recommended Configuration

For maximum compatibility, we recommend using both report-to and report-uri:

Recommended configuration using both directives

Report-To: {
"group": "csp-endpoint",
"max_age": 10886400,
"endpoints": [{
  "url": "https://report.centralcsp.com/<yourID>"
}]
}
Content-Security-Policy: 
default-src 'self';
report-to csp-endpoint;
report-uri https://report.centralcsp.com/<yourID>;

Example Report Format

The report-to format provides more detailed information compared to report-uri:

Example report-to violation report

{
"age": 0,
"body": {
  "documentURL": "https://example.com/page.html",
  "referrer": "",
  "violatedDirective": "script-src-elem",
  "effectiveDirective": "script-src-elem",
  "originalPolicy": "script-src 'self'; report-to csp-endpoint",
  "disposition": "enforce",
  "blockedURL": "https://malicious-site.com/script.js",
  "lineNumber": 42,
  "columnNumber": 8,
  "sourceFile": "https://example.com/page.html",
  "statusCode": 0,
  "sample": ""
},
"type": "csp-violation",
"url": "https://example.com/page.html",
"user_agent": "Mozilla/5.0 ..."
}

Why Use Central CSP for Modern Reporting?

Central CSP is ready for the future of security reporting:
  • Future-Proof: Support for both report-to and report-uri
  • Enhanced Reports: More detailed violation information
  • Unified Dashboard: View all reports in one place
  • Smart Analytics: Advanced filtering and analysis
  • Automated Monitoring: Real-time alerts and notifications

Get Started with Modern CSP Reporting

Stay ahead with support for both report-to and report-uri directives

Try it now

Best Practices

  • Always use both report-to and report-uri for maximum coverage

  • Set appropriate max_age values for your reporting endpoints

  • Monitor endpoint group configurations regularly

  • Use HTTPS for all reporting endpoints

Additional Information

  • The Report-To header can be used by other security features beyond CSP
  • Multiple endpoint groups can be defined for different purposes
  • Reports are sent asynchronously to avoid impact on page performance
  • Endpoint groups can be updated or removed by setting new configurations

Related Resources

External Articles

Related Documentation Sections