Reporting-Endpoints header

Limited availability

This feature is not Baseline because it does not work in some of the most widely-used browsers.

The HTTPReporting-Endpointsresponse header allows website administrators to specify one or more endpoints that can be sent reports generated by theReporting API.

The endpoints can be used, for example, as targets for sending CSP violation reports,Cross-Origin-Opener-Policy reports, or other generic violations.

When used for reportingContent Security Policy (CSP) errors, the header is used in combination with theContent-Security-Policy headerreport-to directive.For more details on setting up CSP reporting, see theContent Security Policy (CSP) documentation.

Note:This header replacesReport-ToDeprecated for declaring endpoints, and should be used in preference.

Header type	Response header
Forbidden request header	No
CORS-safelisted response header	No

Syntax

http

Reporting-Endpoints: <endpoint>Reporting-Endpoints: <endpoint>, …, <endpointN>

<endpoint>: A reporting endpoint in the format<endpoint-name>="<URL>".The endpoints must have valid URIs in quoted strings (e.g.,my-endpoint="https://example.com/reports") and non-secure endpoints are ignored.A comma-separated list of endpoints may be provided.

Examples

Setting a CSP violation report endpoint

The following example shows how theReporting-Endpoints response header is used in conjunction with theContent-Security-Policy header to indicate where CSP violation reports are sent:

http

Reporting-Endpoints: csp-endpoint="https://example.com/csp-reports"Content-Security-Policy: default-src 'self'; report-to csp-endpoint

Specifying multiple reporting endpoints

It's possible to specify multiple endpoints that can be used for different types of violation reports.

http

Reporting-Endpoints: csp-endpoint="https://example.com/csp-reports",                     permissions-endpoint="https://example.com/permissions-policy-reports"