Reporting-Endpoints

The HTTP Reporting-Endpoints response header allows website administrators to specify one or more endpoints that are used to receive errors such as CSP violation reports, Cross-Origin-Opener-Policy reports, or other generic violations.

This header can be used in combination with the Content-Security-Policy header report-to directive. For more details on setting up CSP reporting, see the Content Security Policy (CSP) documentation.

Header type Response header
Forbidden header name no
CORS-safelisted response header no

Syntax

http 
Reporting-Endpoints
:
 <endpoint>

Reporting-Endpoints
:
 <endpoint>, <endpoint>
<endpoint>

A reporting endpoint in the format {endpoint-name}="{URL}" . The endpoints must have valid URIs as strings in the format endpoint-name-"{report-URL}" and non-secure endpoints are ignored. A comma-separated list of endpoints may be provided.

Examples

Setting a CSP violation report endpoint

The following example shows how the Reporting-Endpoints response header is used in conjunction with the Content-Security-Policy header to indicate where CSP violation reports are sent:

http 
Reporting-Endpoints
:
 csp-endpoint="https://example.com/csp-reports"

Content-Security-Policy
:
 default-src 'self'; report-to csp-endpoint

Specifying multiple reporting endpoints

It's possible to specify multiple endpoints that can be used for different types of violation reports:

http 
Reporting-Endpoints
:
 csp-endpoint="https://example.com/csp-reports",
                     hpkp-endpoint="https://example.com/hpkp-reports"

Specifications

No specification found

No specification data found for http.headers.Reporting-Endpoints .
Check for problems with this page or contribute a missing spec_url to mdn/browser-compat-data . Also make sure the specification is included in w3c/browser-specs .

Browser compatibility

BCD tables only load in the browser

See also