Report-ToReport-To is the older Reporting API configuration header: it defines named 'groups' and endpoints telling the browser where to send various reports (CSP violations, network errors via NEL, deprecations, etc.). It is being superseded by the simpler Reporting-Endpoints.
The value is a JSON object (or several comma-separated objects for multiple groups) carrying group (the group name), max_age (config cache lifetime), and endpoints (an array of report-receiving URLs), with include_subdomains to also collect subdomain reports. A CSP report-to directive or a NEL report_to field references this group name to resolve the actual destination.
Report-To corresponds to Reporting API v0, which defines rich features like multiple endpoints, priority, weight, and a retry queue. Due to its complexity and cross-browser divergence, the newer spec simplified things to Reporting-Endpoints (v1), which maps just name=URL in a single header.
In practice it is common to send both Report-To and Reporting-Endpoints for broad compatibility: modern browsers prefer Reporting-Endpoints while older ones fall back to Report-To. However, current Chromium is already reducing/deprecating Report-To support, so new builds should standardize on Reporting-Endpoints.
Report-To: { "group": "<name>", "max_age": <seconds>, "endpoints": [{ "url": "<url>" }] }e.g. Report-To: {"group":"default","max_age":10886400,"endpoints":[{"url":"https://example.com/reports"}]}
group | Report group name; CSP report-to and NEL report_to reference this name. |
max_age | How long (seconds) the browser remembers this endpoint configuration. |
endpoints | Array of URL objects that receive reports (priority/weight can be set). |
include_subdomains | If true, reports from subdomains are also collected into this group. |