report-urireport-uri specifies a URL to which the browser POSTs a JSON violation report when a CSP violation occurs. It collects information about the offending resource and blocked directive so you can tune the policy or monitor attack attempts. This directive is deprecated in favor of report-to.
On a violation, the browser sends an application/csp-report body to the given URL. This is an essential observability tool when rolling CSP into production. Combined with the Content-Security-Policy-Report-Only header, you can collect violations without enforcing the policy — validating it safely before promoting to enforcement mode.
Although report-uri is deprecated in the spec, its browser support is broad, so in practice a backward-compatible strategy of keeping both report-to and report-uri is recommended (older browsers use report-uri; browsers supporting report-to prefer it). report-uri does not fall back to default-src, so declare it explicitly when needed.
Content-Security-Policy: default-src 'self'; report-uri https://report.example.com/csp