HTTP Headers
Report To
Deprecated: This feature is no longer recommended. While some browsers may still support it, it might have been removed from the relevant web standards, is in the process of being dropped, or is kept only for compatibility purposes. It is advisable to avoid using it and update existing code whenever possible.
See the compatibility table below to help guide your decision. Be aware that this feature may cease to function at any time.
Non-standard: This feature is non-standard and does not follow the official web standards track. It should not be used on production sites facing the Web because it may not work for all users. Additionally, different implementations might have significant incompatibilities, and its behavior could change in the future.
Warning:
This header has been replaced by the Reporting-Endpoints
HTTP response header.
It is a deprecated element from an earlier version of the Reporting API specification.
The HTTP Report-To
response header allows website administrators to define named groups of endpoints that can be used as destinations for warning and error reports, such as Content Security Policy (CSP) violation reports, Cross-Origin-Opener-Policy
reports, deprecation reports, or other generic violations.
It is commonly used alongside other headers that specify a group of endpoints for particular report types.
For example, the Content-Security-Policy
header’s report-to
directive can be used to select the reporting group for CSP violations.
The Report-To
header is typically used in conjunction with other headers that define endpoint groups for specific reports, ensuring organized and targeted reporting.
Syntax
Syntax
Report-To: <json-field-value>
- json-field-value
One or more endpoint-group definitions, defined as a JSON array that omits the surrounding
[
and]
markers.
Each object in the array has the following members:- group
A name for the group of endpoints.
- max_age
The time in seconds that the browser should cache the reporting configuration.
- endpoints
An array of one or more URLs where the reports in the group should be sent.
Directives
Examples
This section provides practical examples of how to configure Content Security Policy (CSP) violation reporting using the Report-To
header.
First, a server can send a response with the Report-To
HTTP header to define a group of reporting endpoints. This group is then referenced in the CSP to specify where violation reports should be sent. Here, the server sets up a report group named csp-endpoints
with two URLs as targets for reports.
Example of a Report-To
header:
<aside>Note: The following JSON specifies the report group's configuration, including its name, maximum age, and endpoints.</aside>
Report-To: { "group": "csp-endpoints", "max_age": 10886400, "endpoints": [ { "url": "https://example.com/reports" }, { "url": "https://backup.com/reports" } ] }
To direct the CSP violation reports to this group, the server sets the report-to directive within the Content Security Policy header:
Content-Security-Policy: script-src https://example.com/; report-to csp-endpoints
This setup ensures that any CSP violations related to script-src
will be sent to both URLs listed in the Report-To
group.
Specifying multiple reporting groups
The next example shows how to configure multiple reporting groups within headers, each with a unique name and different endpoints. Note that each group is separated without array brackets.
Report-To: { "group": "csp-endpoint-1", "max_age": 10886400, "endpoints": [ { "url": "https://example.com/csp-reports" } ] }, { "group": "hpkp-endpoint", "max_age": 10886400, "endpoints": [ { "url": "https://example.com/hpkp-reports" } ] }
To specify which group to use in the CSP, you include its name in the report-to directive:
Content-Security-Policy: script-src https://example.com/; report-to csp-endpoint-1
Specifications
This header configuration is no longer part of any active standard but was previously included in the Reporting API.
How to Modify Header using Requestly
- Install and open the Requestly Chrome extension. You can get it from the Chrome Web Store.
- Create a new rule: Click on “Create Rule” and select “Modify Headers” from the options.
- Add a new header modification:
- Choose “Add” or “Override” for “Action”.
- Enter Report-To in the “Header Name” field.
- Provide your desired JSON configuration string in the “Header Value” field. For example:
{ "group": "default", "max_age": 10886400, "endpoints": [{ "url": "https://example.com/reports" }], "include_subdomains": true }
- Set the URL condition: Define the URL or pattern where the header modification applies, like https://your-site.com/*.
- Save the rule.
This setup causes Requestly to inject the customized Report-To header into matching requests. This helps you test how your site handles reporting endpoints or modify browser reporting behavior during development.
Table of Contents
- No headings found.