Reporting-Endpoints
Experimental: This is an experimental technology
Check the Browser compatibility table carefully before using this in production.
The HTTP Reporting-Endpoints
response header allows website administrators to specify one or more endpoints that can be sent reports generated by the Reporting API.
The endpoints can be used, for example, as targets for sending CSP violation reports, Cross-Origin-Opener-Policy
reports, or other generic violations.
When used for reporting Content Security Policy (CSP) errors, the header is used in combination with the Content-Security-Policy
header report-to
directive.
For more details on setting up CSP reporting, see the Content Security Policy (CSP) documentation.
Note:
This header replaces Report-To
Deprecated
for declaring endpoints, and should be used in preference.
Header type | Response header |
---|---|
Forbidden header name | No |
CORS-safelisted response header | No |
Syntax
Reporting-Endpoints: <endpoint>
Reporting-Endpoints: <endpoint>, <endpoint>
<endpoint>
-
A reporting endpoint in the format
<endpoint-name>="<URL>"
. The endpoints must have valid URIs in quoted strings (e.g.,my-endpoint="https://example.com/reports"
) and non-secure endpoints are ignored. A comma-separated list of endpoints may be provided.
Examples
Setting a CSP violation report endpoint
The following example shows how the Reporting-Endpoints
response header is used in conjunction with the Content-Security-Policy
header to indicate where CSP violation reports are sent:
Reporting-Endpoints: csp-endpoint="https://example.com/csp-reports"
Content-Security-Policy: default-src 'self'; report-to csp-endpoint
Specifying multiple reporting endpoints
It's possible to specify multiple endpoints that can be used for different types of violation reports.
Reporting-Endpoints: csp-endpoint="https://example.com/csp-reports",
permissions-endpoint="https://example.com/permissions-policy-reports"
Specifications
Specification |
---|
Reporting API # header-field-registration |
Browser compatibility
BCD tables only load in the browser
See also
- Reporting API
- Content Security Policy (CSP) guide
Content-Security-Policy
headerreport-to
directive