diff --git a/index.src.html b/index.src.html
index de654c6..93f0455 100644
--- a/index.src.html
+++ b/index.src.html
@@ -1146,6 +1146,48 @@ Garbage Collection
removed from the report buffer of any reporting observer.
+
+ Deployment Considerations
+
+
+
+ A server might want to include additional metadata in reports that are
+ generated for their origin. This can be accomplished by encoding the extra
+ metadata in the `url` of any `endpoints` in the `Report-To` response headers
+ for the origin — for example, in the URL path or query parameters.
+
+
+ Report-To: { "group": "csp",
+ "max-age": 10886400,
+ "endpoints": [
+ { "url": "https://example.com/reports?nonce=e897932f" }
+ ] }
+
+
+ Since the instructions in a `Report-To` header will be used for future
+ requests to the same origin, the server SHOULD NOT use this mechanism to
+ encode metadata that is only valid for the current request. The metadata MUST
+ be valid for all requests to the same origin from the same user.
+
+ Spam Mitigation
+
+ One potential use of [[#custom-metadata]] is to help prevent spam — report
+ uploads that don't correspond to a real request made by a real user. For
+ instance, when constructing the `Report-To` for a response, the server
+ could create a nonce whose value depends on the origin of the request, and the
+ public IP address of the client. The server would then embed this nonce into
+ the `url` values of the header.
+
+ When the collector receives a report, it will have access to the nonce (since
+ that will be part of the URL in the `POST` request to the collector). It can
+ construct a nonce for each report in the upload, using the origin of the
+ report's [=report/url=] and the IP address of the uploading client. If any of
+ the per-report nonces don't match the nonce in the upload URL, the
+ corresponding reports can be considered fraudulent, and dropped.
+
+
+