What is the report-to HTTP directive?

The report-to is a reporting directive of the Content-Security-Policy (CSP) HTTP response header, which instructs the browser to send website violation reports to the configured endpointAn endpoint is the destination where reports from an origin can be sent. for the violation.

Note: To know more about CSP and understand how it helps mitigate common web attacks, refer to this Answer.

To understand this better, let's take an example. Suppose we have a website that uses the CSP header. To monitor any violations of the policies delineated by this header or catch the use of any deprecated APIs, we can use the report-to field to direct violation reports to a report collecting service of our choice. The process is illustrated below:

Using the report-to directive to send violation reports to an endpoint

Command

We can use the following command to map the report-to directive to an endpoint:

Content-Security-Policy: report-to endpoint

The endpoint can be defined in two ways:

JSON data

JSON is a format to store text-based data. To store endpoints in it, we create a JSON object with the following keys:

  • "group": This identifies the endpoint name and is referenced by the report-to directive automatically. Its value is arbitrary as long as it matches the name given to the directive.

  • "max-age": This is the length of time for which the browser should use the given endpoints.

  • "endpoints": This contains the URL to which the reports will be sent. There may be more than one URL specified in this field.

An example of using JSON data with the report-to directive is shown below.:

Report-To: { "group": "endpoint",
              "max-age": 1000000,
              "endpoints": [
                { "url": "https://firstsite.com/reports" },
                { "url": "https://secondsite.com/reports" }
              ] }
Content-Security-Policy: report-to endpoint

Note: Header encapsulates the information sent in over the HTTP request or response. A directive is a field of a header. Here, Report-To is the header which contains the JSON data while report-to is a directive of the CSP header.

The Reporting-Endpointsheader

The Reporting-Endpoints header is frequently used in conjunction with the report-to directive to specify the endpoints. An example is shown below:

Reporting-Endpoints: endpoint="https://firstsite.com/reports"
Content-Security-Policy: report-to endpoint

Limitation

The report-to is a great mechanism to log any errors experienced by website visitors. However, there are some limitations to this, as outlined below:

  • Browser compatibility: Currently, only Chrome and Edge support using this directive in the CSP header.

  • Cross-originThese are websites with different domains, ports, sub-domain, or schemes. <iframe> tags: The report generated due to violations on our website will be sent to the endpoints specified, including any deprecated APIs or third-party breaches. However, if there are violations in cross-origin iframes embedded in the website, the reports will be sent to the owners of the iframes and not the website owner.

Free AI Mock Interviews
Coding Interview
Coding PatternsFree Interview
Gain insights and practical experience with coding patterns through targeted MCQs and coding problems, designed to match and challenge your expertise level.
System Design
You TubeFree Interview
Learn to design a video streaming platform like YouTube by tackling functional and non-functional requirements, core components, and high-level to detailed design challenges.

Free Resources

Copyright ©2025 Educative, Inc. All rights reserved