report-uri
Content-Security-Policy Reporting

Overview

report-uri specifies a URL to which the browser POSTs a JSON violation report when a CSP violation occurs. It collects information about the offending resource and blocked directive so you can tune the policy or monitor attack attempts. This directive is deprecated in favor of report-to.

Details

On a violation, the browser sends an application/csp-report body to the given URL. This is an essential observability tool when rolling CSP into production. Combined with the Content-Security-Policy-Report-Only header, you can collect violations without enforcing the policy — validating it safely before promoting to enforcement mode.

Although report-uri is deprecated in the spec, its browser support is broad, so in practice a backward-compatible strategy of keeping both report-to and report-uri is recommended (older browsers use report-uri; browsers supporting report-to prefer it). report-uri does not fall back to default-src, so declare it explicitly when needed.

Syntax

Content-Security-Policy: default-src 'self'; report-uri https://report.example.com/csp

Notes

Related directives