CSP: report-to
The Content-Security-Policy
Report-To HTTP response header field
instructs the user agent to store reporting endpoints for an origin.
http
Content-Security-Policy: …; report-to groupname
The directive has no effect in and of itself, but only gains meaning in combination with other directives.
| CSP version | 1 |
|---|---|
| Directive type | Reporting directive |
This directive is not supported in the <meta>
element.
|
|
Syntax
http
Content-Security-Policy: report-to <json-field-value>;
Examples
See Content-Security-Policy-Report-Only for more information and
examples.
http
Report-To: { "group": "csp-endpoint",
"max_age": 10886400,
"endpoints": [
{ "url": "https://example.com/csp-reports" }
] },
{ "group": "hpkp-endpoint",
"max_age": 10886400,
"endpoints": [
{ "url": "https://example.com/hpkp-reports" }
] }
Content-Security-Policy: …; report-to csp-endpoint
http
Report-To: { "group": "endpoint-1",
"max_age": 10886400,
"endpoints": [
{ "url": "https://example.com/reports" },
{ "url": "https://backup.com/reports" }
] }
Content-Security-Policy: …; report-to endpoint-1
http
Reporting-Endpoints: endpoint-1="https://example.com/reports"
Content-Security-Policy: …; report-to endpoint-1
Specifications
| Specification |
|---|
| Content Security Policy Level 3 # directive-report-to |
Browser compatibility
BCD tables only load in the browser