Home/ Glossary/ report-uri and report-to Directives

report-uri and report-to Directives (report-uri / report-to)

Security Glossary - Security Headers

Definition: The report-uri and report-to directives specify where the browser should send reports when security policy violations occur. report-uri (older, CSP-specific) sends violation reports to a specified URL. report-to (newer, generic) uses the Reporting API for CSP, NEL, and other policy violations with a structured endpoint configuration.

Why You Should Care About report-uri / report-to

Violation reporting is essential for deploying security policies without breaking your site. When rolling out CSP, you can use Content-Security-Policy-Report-Only with a report-uri to see what would be blocked without affecting users. The reports show the blocked resource, the violated directive, and the page URL, helping you refine the policy.

Without reporting, deploying CSP is a trial-and-error process. You might miss edge cases that only occur for certain users, browsers, or page states. Reports provide data-driven visibility into policy effectiveness and false positives.

report-to is the newer mechanism that uses the Reporting API (configured via the Report-To header). It supports batching, retries, and priority, making it more reliable than report-uri. However, browser support varies, so setting both provides the best coverage. Services like report-uri.com, Sentry, and uriports.com can receive and aggregate these reports.

How to Test for report-uri / report-to

A security audit checks whether your CSP includes reporting directives. If you are deploying or iterating on your CSP, enable report-only mode with a reporting endpoint to collect violation data before enforcing the policy.

Run a Security Audit

Questions and Answers

Should I use report-uri or report-to?
Use both for maximum compatibility. report-uri works in all browsers with CSP support. report-to uses the newer Reporting API which is supported in Chrome but not yet in Firefox. Eventually report-uri will be deprecated in favor of report-to.
Are CSP reports noisy?
Yes, expect significant noise from browser extensions and third-party tools that inject scripts into pages. Filter reports by source_file to focus on your own domain. A reporting aggregation service helps manage volume and identify real issues.

Learn More

Content Security Policy Network Error Logging Security Headers Overview Nonce-Based Content Security Policy strict-dynamic CSP Directive
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.