Report-To
Response header Security

Overview

Report-To is the older Reporting API configuration header: it defines named 'groups' and endpoints telling the browser where to send various reports (CSP violations, network errors via NEL, deprecations, etc.). It is being superseded by the simpler Reporting-Endpoints.

Details

The value is a JSON object (or several comma-separated objects for multiple groups) carrying group (the group name), max_age (config cache lifetime), and endpoints (an array of report-receiving URLs), with include_subdomains to also collect subdomain reports. A CSP report-to directive or a NEL report_to field references this group name to resolve the actual destination.

Report-To corresponds to Reporting API v0, which defines rich features like multiple endpoints, priority, weight, and a retry queue. Due to its complexity and cross-browser divergence, the newer spec simplified things to Reporting-Endpoints (v1), which maps just name=URL in a single header.

In practice it is common to send both Report-To and Reporting-Endpoints for broad compatibility: modern browsers prefer Reporting-Endpoints while older ones fall back to Report-To. However, current Chromium is already reducing/deprecating Report-To support, so new builds should standardize on Reporting-Endpoints.

Syntax

Report-To: { "group": "<name>", "max_age": <seconds>, "endpoints": [{ "url": "<url>" }] }

e.g. Report-To: {"group":"default","max_age":10886400,"endpoints":[{"url":"https://example.com/reports"}]}

Directives / values

groupReport group name; CSP report-to and NEL report_to reference this name.
max_ageHow long (seconds) the browser remembers this endpoint configuration.
endpointsArray of URL objects that receive reports (priority/weight can be set).
include_subdomainsIf true, reports from subdomains are also collected into this group.

Notes

Related headers

Related status codes

Specification