Reporting-Endpoints
The HTTP Reporting-Endpoints response header allows website administrators to specify one or more endpoints that are used to receive errors such as CSP violation reports, Cross-Origin-Opener-Policy reports, or other generic violations.
This header can be used in combination with the Content-Security-Policy header report-to directive.
For more details on setting up CSP reporting, see the Content Security Policy (CSP) documentation.
| Header type | Response header |
|---|---|
| Forbidden header name | no |
| CORS-safelisted response header | no |
Syntax
Reporting-Endpoints: <endpoint>
Reporting-Endpoints: <endpoint>, <endpoint>
- <endpoint>
-
A reporting endpoint in the format
{endpoint-name}="{URL}". The endpoints must have valid URIs as strings in the formatendpoint-name-"{report-URL}"and non-secure endpoints are ignored. A comma-separated list of endpoints may be provided.
Examples
Setting a CSP violation report endpoint
The following example shows how the Reporting-Endpoints response header is used in conjunction with the Content-Security-Policy header to indicate where CSP violation reports are sent:
Reporting-Endpoints: csp-endpoint="https://example.com/csp-reports"
Content-Security-Policy: default-src 'self'; report-to csp-endpoint
Specifying multiple reporting endpoints
It's possible to specify multiple endpoints that can be used for different types of violation reports:
Reporting-Endpoints: csp-endpoint="https://example.com/csp-reports",
hpkp-endpoint="https://example.com/hpkp-reports"
Specifications
No specification found
No specification data found for http.headers.Reporting-Endpoints.
Check for problems with this page or contribute a missing spec_url to mdn/browser-compat-data. Also make sure the specification is included in w3c/browser-specs.
Browser compatibility
BCD tables only load in the browser
See also
Content-Security-Policyreport-todirective- Content Security Policy (CSP) guide