Reporting-Endpoints header
Baseline
2024
Newly available
Since September 2024, this feature works across the latest devices and browser versions. This feature might not work in older devices or browsers.
The HTTP Reporting-Endpoints response header allows website administrators to specify one or more endpoints that can be sent reports generated by the Reporting API.
The endpoints can be used, for example, as targets for sending crash reports, deprecation reports, Content Security Policy (CSP) violation reports, Cross-Origin-Opener-Policy reports, and so on.
Note:
This header replaces Report-To
Deprecated
for declaring endpoints, and should be used in preference.
| Header type | Response header |
|---|---|
| CORS-safelisted response header | No |
Syntax
Reporting-Endpoints: <endpoint>
Reporting-Endpoints: <endpoint>, …, <endpointN>
<endpoint>-
A reporting endpoint in the format
<endpoint-name>="<URL>". The endpoints must have valid URIs in quoted strings (e.g.,my-endpoint="https://example.com/reports") and non-secure endpoints are ignored. A comma-separated list of endpoints may be provided.
Description
The Reporting-Endpoints header defines the mapping between an endpoint name and a URL.
This name can be used to identify the reporting endpoint for policy violations in some HTTP headers.
For example, the Content-Security-Policy allows you to specify the reporting endpoint name in its report-to directive, while the endpoints key serves the same purpose for Integrity-Policy violations.
Default reporting endpoint
The default reporting endpoint is just a report with the name "default", as shown:
Reporting-Endpoints: default="https://example.com/reports"
This may be used as the reporting endpoint for cases where the HTTP header that triggers a report does not have mechanism for reporting the endpoint, such as the Permissions-Policy header.
It may also be used as the endpoint for reports where there is no associated HTTP header at all, such as for deprecation reports.
Examples
Setting a CSP violation report endpoint
The following example shows how the Reporting-Endpoints response header is used in conjunction with the Content-Security-Policy header to indicate where CSP violation reports are sent:
Reporting-Endpoints: csp-endpoint="https://example.com/csp-reports"
Content-Security-Policy: default-src 'self'; report-to csp-endpoint
Specifying multiple reporting endpoints
It's possible to specify multiple endpoints that can be used for different types of violation reports.
Reporting-Endpoints: csp-endpoint="https://example.com/csp-reports",
permissions-endpoint="https://example.com/permissions-policy-reports"
Specifications
| Specification |
|---|
| Reporting API # header-field-registration |
Browser compatibility
See also
- Reporting API
- Content Security Policy (CSP) guide
Content-Security-Policyheaderreport-todirective