CSP: report-to

You’re reading the English version of this content since no translation exists yet for this locale. Help us translate this article!

The Content-Security-Policy Report-To HTTP response header field instructs the user agent to store reporting endpoints for an origin.

Content-Security-Policy: ...; report-to groupname

The directive has no effect in and of itself, but only gains meaning in combination with other directives.

CSP version 1
Directive type Reporting directive
This directive is not supported in the <meta> element.

Syntax

Content-Security-Policy: report-to <json-field-value>;

Examples

See Content-Security-Policy-Report-Only for more information and examples.

Report-To: { "group": "csp-endpoint",
             "max-age": 10886400,
             "endpoints": [
               { "url": "https://example.com/csp-reports" }
             ] },
           { "group": "hpkp-endpoint",
             "max-age": 10886400,
             "endpoints": [
               { "url": "https://example.com/hpkp-reports" }
             ] }
Content-Security-Policy: ...; report-to csp-endpoint
Report-To: { "group": "endpoint-1",
             "max-age": 10886400,
             "endpoints": [
               { "url": "https://example.com/reports" },
               { "url": "https://backup.com/reports" }
             ] } 

Content-Security-Policy: ...; report-to endpoint-1

Browser compatibility

Update compatibility data on GitHub
DesktopMobile
ChromeEdgeFirefoxInternet ExplorerOperaSafariAndroid webviewChrome for AndroidFirefox for AndroidOpera for AndroidSafari on iOSSamsung Internet
report-toChrome Full support 70Edge No support NoFirefox No support NoIE No support NoOpera No support NoSafari No support NoWebView Android Full support 70Chrome Android Full support 70Firefox Android No support NoOpera Android No support NoSafari iOS No support NoSamsung Internet Android No support No

Legend

Full support  
Full support
No support  
No support

See also