What is the report-to HTTP directive?

The report-to is a reporting directive of the Content-Security-Policy (CSP) HTTP response header, which instructs the browser to send website violation reports to the configured endpointAn endpoint is the destination where reports from an origin can be sent. for the violation.

Note: To know more about CSP and understand how it helps mitigate common web attacks, refer to this Answer.

To understand this better, let's take an example. Suppose we have a website that uses the CSP header. To monitor any violations of the policies delineated by this header or catch the use of any deprecated APIs, we can use the report-to field to direct violation reports to a report collecting service of our choice. The process is illustrated below:

Using the report-to directive to send violation reports to an endpoint

Command

We can use the following command to map the report-to directive to an endpoint:

Content-Security-Policy: report-to endpoint

The endpoint can be defined in two ways:

JSON data

JSON is a format to store text-based data. To store endpoints in it, we create a JSON object with the following keys:

  • "group": This identifies the endpoint name and is referenced by the report-to directive automatically. Its value is arbitrary as long as it matches the name given to the directive.

  • "max-age": This is the length of time for which the browser should use the given endpoints.

  • "endpoints": This contains the URL to which the reports will be sent. There may be more than one URL specified in this field.

An example of using JSON data with the report-to directive is shown below.:

Report-To: { "group": "endpoint",
"max-age": 1000000,
"endpoints": [
{ "url": "https://firstsite.com/reports" },
{ "url": "https://secondsite.com/reports" }
] }
Content-Security-Policy: report-to endpoint

Note: Header encapsulates the information sent in over the HTTP request or response. A directive is a field of a header. Here, Report-To is the header which contains the JSON data while report-to is a directive of the CSP header.

The Reporting-Endpointsheader

The Reporting-Endpoints header is frequently used in conjunction with the report-to directive to specify the endpoints. An example is shown below:

Reporting-Endpoints: endpoint="https://firstsite.com/reports"
Content-Security-Policy: report-to endpoint

Limitation

The report-to is a great mechanism to log any errors experienced by website visitors. However, there are some limitations to this, as outlined below:

  • Browser compatibility: Currently, only Chrome and Edge support using this directive in the CSP header.

  • Cross-originThese are websites with different domains, ports, sub-domain, or schemes. <iframe> tags: The report generated due to violations on our website will be sent to the endpoints specified, including any deprecated APIs or third-party breaches. However, if there are violations in cross-origin iframes embedded in the website, the reports will be sent to the owners of the iframes and not the website owner.

Free Resources

Copyright ©2025 Educative, Inc. All rights reserved