The report-to
is a reporting directive of the Content-Security-Policy
(CSP) HTTP response header, which instructs the browser to send website violation reports to the configured
Note: To know more about CSP and understand how it helps mitigate common web attacks, refer to this Answer.
To understand this better, let's take an example. Suppose we have a website that uses the CSP header. To monitor any violations of the policies delineated by this header or catch the use of any deprecated APIs, we can use the report-to
field to direct violation reports to a report collecting service of our choice. The process is illustrated below:
We can use the following command to map the report-to
directive to an endpoint:
Content-Security-Policy: report-to endpoint
The endpoint
can be defined in two ways:
JSON is a format to store text-based data. To store endpoints in it, we create a JSON object with the following keys:
"group"
: This identifies the endpoint name and is referenced by the report-to
directive automatically. Its value is arbitrary as long as it matches the name given to the directive.
"max-age"
: This is the length of time for which the browser should use the given endpoints.
"endpoints"
: This contains the URL to which the reports will be sent. There may be more than one URL specified in this field.
An example of using JSON data with the report-to
directive is shown below.:
Report-To: { "group": "endpoint","max-age": 1000000,"endpoints": [{ "url": "https://firstsite.com/reports" },{ "url": "https://secondsite.com/reports" }] }Content-Security-Policy: report-to endpoint
Note: Header encapsulates the information sent in over the HTTP request or response. A directive is a field of a header. Here,
Report-To
is the header which contains the JSON data whilereport-to
is a directive of the CSP header.
Reporting-Endpoints
headerThe Reporting-Endpoints
header is frequently used in conjunction with the report-to
directive to specify the endpoints. An example is shown below:
Reporting-Endpoints: endpoint="https://firstsite.com/reports"Content-Security-Policy: report-to endpoint
The report-to
is a great mechanism to log any errors experienced by website visitors. However, there are some limitations to this, as outlined below:
Browser compatibility: Currently, only Chrome and Edge support using this directive in the CSP header.
<iframe>
tags: The report generated due to violations on our website will be sent to the endpoints specified, including any deprecated APIs or third-party breaches. However, if there are violations in cross-origin iframes embedded in the website, the reports will be sent to the owners of the iframes and not the website owner.
Free Resources