CSP: report-to
The Content-Security-Policy
Report-To
HTTP response header field
instructs the user agent to store reporting endpoints for an origin.
Content-Security-Policy: ...; report-to groupname
The directive has no effect in and of itself, but only gains meaning in combination with other directives.
CSP version | 1 |
---|---|
Directive type | Reporting directive |
This directive is not supported in the <meta>
element.
|
Syntax
Content-Security-Policy: report-to <json-field-value>;
Examples
See Content-Security-Policy-Report-Only
for more information and
examples.
Report-To: { "group": "csp-endpoint", "max_age": 10886400, "endpoints": [ { "url": "https://example.com/csp-reports" } ] }, { "group": "hpkp-endpoint", "max_age": 10886400, "endpoints": [ { "url": "https://example.com/hpkp-reports" } ] } Content-Security-Policy: ...; report-to csp-endpoint
Report-To: { "group": "endpoint-1", "max_age": 10886400, "endpoints": [ { "url": "https://example.com/reports" }, { "url": "https://backup.com/reports" } ] } Content-Security-Policy: ...; report-to endpoint-1
Specifications
Specification |
---|
Content Security Policy Level 3 # directive-report-to |
Browser compatibility
BCD tables only load in the browser