The Content-Security-Policy
Report-To
HTTP response header field instructs the user agent to store reporting endpoints for an origin.
Content-Security-Policy: ...; report-to groupname
The directive has no effect in and of itself, but only gains meaning in combination with other directives.
CSP version | 1 |
---|---|
Directive type | Reporting directive |
This directive is not supported in the <meta> element. |
Syntax
Content-Security-Policy: report-to <json-field-value>;
Examples
See Content-Security-Policy-Report-Only
for more information and examples.
Report-To: { "group": "csp-endpoint", "max_age": 10886400, "endpoints": [ { "url": "https://example.com/csp-reports" } ] }, { "group": "hpkp-endpoint", "max_age": 10886400, "endpoints": [ { "url": "https://example.com/hpkp-reports" } ] } Content-Security-Policy: ...; report-to csp-endpoint
Report-To: { "group": "endpoint-1", "max_age": 10886400, "endpoints": [ { "url": "https://example.com/reports" }, { "url": "https://backup.com/reports" } ] } Content-Security-Policy: ...; report-to endpoint-1
Browser compatibility
The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.
Desktop | Mobile | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
report-to | Chrome Full support 70 | Edge Full support 79 | Firefox No support No | IE No support No | Opera No support No | Safari No support No | WebView Android Full support 70 | Chrome Android Full support 70 | Firefox Android No support No | Opera Android No support No | Safari iOS No support No | Samsung Internet Android Full support 10.0 |
Legend
- Full support
- Full support
- No support
- No support