Reporting directive

CSP reporting directives are used in a Content-Security-Policy header and control the reporting process of CSP violations.

List of CSP reporting directives

report-uri
Instructs the user agent to report attempts to violate the Content Security Policy. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI.

Though the report-to directive is intended to replace the deprecated report-uri directive, report-to isn’t supported in most browsers yet. So for compatibility with current browsers while also adding forward compatibility when browsers get report-to support, you can specify both report-uri and report-to:

Content-Security-Policy: ...; report-uri https://endpoint.example.com; report-to groupname

In browsers that support report-to, the report-uri directive will be ignored.

report-to
Fires a SecurityPolicyViolationEvent.