W3cubDocs

/HTTP

CSP: report-to

The Content-Security-Policy Report-To HTTP response header field instructs the user agent to store reporting endpoints for an origin.

Content-Security-Policy: ...; report-to groupname

The directive has no effect in and of itself, but only gains meaning in combination with other directives.

CSP version 1
Directive type Reporting directive
This directive is not supported in the <meta> element.

Syntax

Content-Security-Policy: report-to <json-field-value>;

Examples

See Content-Security-Policy-Report-Only for more information and examples.

Report-To: { "group": "csp-endpoint",
             "max_age": 10886400,
             "endpoints": [
               { "url": "https://example.com/csp-reports" }
             ] },
           { "group": "hpkp-endpoint",
             "max_age": 10886400,
             "endpoints": [
               { "url": "https://example.com/hpkp-reports" }
             ] }
Content-Security-Policy: ...; report-to csp-endpoint
Report-To: { "group": "endpoint-1",
             "max_age": 10886400,
             "endpoints": [
               { "url": "https://example.com/reports" },
               { "url": "https://backup.com/reports" }
             ] } 

Content-Security-Policy: ...; report-to endpoint-1

Browser compatibilityUpdate compatibility data on GitHub

Desktop
Chrome Edge Firefox Internet Explorer Opera Safari
report-to 70 79 No No No No
Mobile
Android webview Chrome for Android Firefox for Android Opera for Android Safari on iOS Samsung Internet
report-to 70 70 No No No 10.0

See also

© 2005–2020 Mozilla and individual contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to