🎉 Requestly joins BrowserStack to build the future of application testing. Read more

HTTP Headers

Report To

HTTP Header

Deprecated: This feature is no longer recommended. While some browsers may still support it, it might have been removed from the relevant web standards, is in the process of being dropped, or is kept only for compatibility purposes. It is advisable to avoid using it and update existing code whenever possible.
See the compatibility table below to help guide your decision. Be aware that this feature may cease to function at any time.

Non-standard: This feature is non-standard and does not follow the official web standards track. It should not be used on production sites facing the Web because it may not work for all users. Additionally, different implementations might have significant incompatibilities, and its behavior could change in the future.

Warning:
This header has been replaced by the Reporting-Endpoints HTTP response header.
It is a deprecated element from an earlier version of the Reporting API specification.

The HTTP Report-To response header allows website administrators to define named groups of endpoints that can be used as destinations for warning and error reports, such as Content Security Policy (CSP) violation reports, Cross-Origin-Opener-Policy reports, deprecation reports, or other generic violations.
It is commonly used alongside other headers that specify a group of endpoints for particular report types.
For example, the Content-Security-Policy header’s report-to directive can be used to select the reporting group for CSP violations.

The Report-To header is typically used in conjunction with other headers that define endpoint groups for specific reports, ensuring organized and targeted reporting.

Syntax

Syntax

http
Report-To: <json-field-value>

json-field-value

One or more endpoint-group definitions, defined as a JSON array that omits the surrounding [ and ] markers.
Each object in the array has the following members:

group

A name for the group of endpoints.

max_age

The time in seconds that the browser should cache the reporting configuration.

endpoints

An array of one or more URLs where the reports in the group should be sent.

Directives

Examples

This section provides practical examples of how to configure Content Security Policy (CSP) violation reporting using the Report-To header.

First, a server can send a response with the Report-To HTTP header to define a group of reporting endpoints. This group is then referenced in the CSP to specify where violation reports should be sent. Here, the server sets up a report group named csp-endpoints with two URLs as targets for reports.

Example of a Report-To header:

<aside>Note: The following JSON specifies the report group's configuration, including its name, maximum age, and endpoints.</aside>

Report-To: { "group": "csp-endpoints", "max_age": 10886400, "endpoints": [ { "url": "https://example.com/reports" }, { "url": "https://backup.com/reports" } ] }

To direct the CSP violation reports to this group, the server sets the report-to directive within the Content Security Policy header:

Content-Security-Policy: script-src https://example.com/; report-to csp-endpoints

This setup ensures that any CSP violations related to script-src will be sent to both URLs listed in the Report-To group.

Specifying multiple reporting groups

The next example shows how to configure multiple reporting groups within headers, each with a unique name and different endpoints. Note that each group is separated without array brackets.

Report-To: { "group": "csp-endpoint-1", "max_age": 10886400, "endpoints": [ { "url": "https://example.com/csp-reports" } ] }, { "group": "hpkp-endpoint", "max_age": 10886400, "endpoints": [ { "url": "https://example.com/hpkp-reports" } ] }

To specify which group to use in the CSP, you include its name in the report-to directive:

Content-Security-Policy: script-src https://example.com/; report-to csp-endpoint-1

Specifications

This header configuration is no longer part of any active standard but was previously included in the Reporting API.

How to Modify Header using Requestly

Requestly is a handy Chrome extension that lets you modify the Report-To HTTP header. This is helpful for developers who want to control how browser reporting mechanisms behave or test how applications handle different reporting configurations. Steps to Modify the Report-To Header:

  1. Install and open the Requestly Chrome extension. You can get it from the Chrome Web Store.
  2. Create a new rule: Click on “Create Rule” and select “Modify Headers” from the options.
  3. Add a new header modification:
    • Choose “Add” or “Override” for “Action”.
    • Enter Report-To in the “Header Name” field.
    • Provide your desired JSON configuration string in the “Header Value” field. For example:
      { "group": "default", "max_age": 10886400, "endpoints": [{ "url": "https://example.com/reports" }], "include_subdomains": true }
  4. Set the URL condition: Define the URL or pattern where the header modification applies, like https://your-site.com/*.
  5. Save the rule.

This setup causes Requestly to inject the customized Report-To header into matching requests. This helps you test how your site handles reporting endpoints or modify browser reporting behavior during development.