CSP reporting directives are used in a Content-Security-Policy
header and control the reporting process of CSP violations.
List of CSP reporting directives
report-uri
- Instructs the user agent to report attempts to violate the Content Security Policy. These violation reports consist of JSON documents sent via an HTTP
POST
request to the specified URI.Though the
report-to
directive is intended to replace the deprecatedreport-uri
directive,report-to
isn’t supported in most browsers yet. So for compatibility with current browsers while also adding forward compatibility when browsers getreport-to
support, you can specify bothreport-uri
andreport-to
:Content-Security-Policy: ...; report-uri https://endpoint.example.com; report-to groupname
In browsers that support
report-to
, thereport-uri
directive will be ignored. report-to
- Fires a
SecurityPolicyViolationEvent
.