Report-uri and Report-to

As illustrated below, the report-uri directive and the report-to header are used to specify a URI to which client web browsers should send reports when a Content Security Policy (CSP) violation occurs.

Create your Account

Create a Reporting Endpoint

Once logged in, register you application and get your reporting endpoint. You'll receive a unique endpoint URL that looks like: https://report.centralcsp.com/[your-endpoint-id]

Configure Your CSP Headers

Add your new endpoint URL to your CSP configuration using both report-uri and report-to directives for maximum browser compatibility.

Monitor Violations

Access your CentralCSP dashboard to view and analyze any CSP violations in real-time. You'll receive detailed reports about blocked resources and potential security issues.

First Tier Benefits

The first tier includes all essential features: real-time violation reporting, detailed analytics, and support for multiple domains. Upgrade only when you need advanced features like custom alerting, API access, or higher volume reporting.

What is the report-uri directive and the report-to header

Both values are used to specify a URI to which client web browsers should send reports when a Content Security Policy (CSP) violation occurs. By using the reporting endpoint, you will be aware of any CSP violation that happened client side and be able to take action to fix it.

report-uri

The report-uri directive is used to specify a URI to which client web browsers should send reports when a Content Security Policy violation occurs.

Learn more on the report-uri directive

report-to

The report-to header is a new directive that allows you to define a reporting group that can be used in multiple policies. It is more flexible and powerful than the report-uri directive.

Learn more on the report-to header

Why use both report-uri and report-to

The report-uri directive is deprecated and should be replaced with the report-to directive. However, the report-uri directive is still supported by most browsers, and few browsers implement the report-to directive. That's why we recommend using both directives.

Using both directives will ensure that you receive reports from all browsers, even those that do not support the report-to directive.

Important Note About Deprecation

While report-uri was officially marked for deprecation in favor of report-to, the reality is different. report-uri remains widely supported while report-to has limited browser implementation. This is why using both directives is currently the recommended approach to ensure maximum coverage of violation reporting across all browsers.

How to set up the report-uri directive

To set up the report-uri directive, you need to add a report-uri endpoint to your Content-Security-Policy like the following:

Content-Security-Policy: ...; report-uri https://report.centralcsp.com/MyEndpointID

How to set up the report-to directive

To set up the report-to header, you need toadd a report-to endpoint to your Content-Security-Policyanddefine the reporting group in the Reporting-Endpoints header

Deprecation Notice

The Report-To header has been deprecated in favor of the newer Reporting-Endpoints header. While Report-To was previously recommended for its flexibility in defining endpoint groups and parameters like max_age, browser vendors are moving towards standardizing on Reporting-Endpoints.

Set up the Reporting-Endpoints header like the following:

Reporting-Endpoints: csp-endpoint="https://report.centralcsp.com/MyEndpointID"

Set up the report-to directive in the Content-Security-Policy like the following :

Content-Security-Policy: ...; report-to csp-endpoint

Example of a CSP Violation Report

When a CSP violation occurs, the browser sends a JSON report to your specified endpoint. Here's an example of what the violation report looks like:

{
    "csp-report": {
        "document-uri": "https://example.com/page.html",
        "referrer": "",
        "violated-directive": "script-src-elem",
        "effective-directive": "script-src-elem",
        "original-policy": "default-src 'self'; script-src 'self' https://trusted.com; report-uri /csp-endpoint",
        "disposition": "enforce",
        "blocked-uri": "https://malicious-site.com/script.js",
        "line-number": 42,
        "column-number": 8,
        "source-file": "https://example.com/page.html",
        "status-code": 0,
        "script-sample": ""
   }
}

This report provides detailed information about the violation, including the blocked resource, violated directive, and where the violation occurred in your code.

Docs

CSP Scanner CSP Evaluator Reporting Endpoint

Certification

PCI DSS SAQ A ISO 27001 Penetration Test Report

Legal Terms

Contact

contact@cspcentral.com