The HTTP Reporting-Endpoints response header allows website administrators to specify one or more endpoints that are used to receive errors such as CSP violation reports, Cross-Origin-Opener-Policy reports, or other generic violations.

This header can be used in combination with the Content-Security-Policy header report-to directive. For more details on setting up CSP reporting, see the Content Security Policy (CSP) documentation.

Header type Response header
Forbidden header name no
CORS-safelisted response header no


Reporting-Endpoints: <endpoint>
Reporting-Endpoints: <endpoint>, <endpoint>

A reporting endpoint in the format {endpoint-name}="{URL}". The endpoints must have valid URIs as strings in the format endpoint-name-"{report-URL}" and non-secure endpoints are ignored. A comma-separated list of endpoints may be provided.


Setting a CSP violation report endpoint

The following example shows how the Reporting-Endpoints response header is used in conjunction with the Content-Security-Policy header to indicate where CSP violation reports are sent:

Reporting-Endpoints: csp-endpoint=""
Content-Security-Policy: default-src 'self'; report-to csp-endpoint

Specifying multiple reporting endpoints

It's possible to specify multiple endpoints that can be used for different types of violation reports:

Reporting-Endpoints: csp-endpoint="",


No specification found

No specification data found for http.headers.Reporting-Endpoints.
Check for problems with this page or contribute a missing spec_url to mdn/browser-compat-data. Also make sure the specification is included in w3c/browser-specs.

Browser compatibility

BCD tables only load in the browser

See also