The HTTP
Reporting-Endpoints
response header allows website administrators to specify one or more endpoints that are used to receive errors such as CSP violation reports,
Cross-Origin-Opener-Policy
reports, or other generic violations.
This header can be used in combination with the
Content-Security-Policy
header
report-to
directive.
For more details on setting up CSP reporting, see the
Content Security Policy (CSP)
documentation.
- <endpoint>
-
A reporting endpoint in the format
{endpoint-name}="{URL}"
.
The endpoints must have valid URIs as strings in the format
endpoint-name-"{report-URL}"
and non-secure endpoints are ignored.
A comma-separated list of endpoints may be provided.
The following example shows how the
Reporting-Endpoints
response header is used in conjunction with the
Content-Security-Policy
header to indicate where CSP violation reports are sent:
It's possible to specify multiple endpoints that can be used for different types of violation reports:
BCD tables only load in the browser