docs.rodeo

MDN Web Docs mirror

Reporting-Endpoints header

The HTTP Reporting-Endpoints {{Glossary("response header")}}  allows website administrators to specify one or more endpoints that can be sent reports generated by the Reporting API.

The endpoints can be used, for example, as targets for sending CSP violation reports, {{HTTPHeader("Cross-Origin-Opener-Policy")}}  reports, or other generic violations.

When used for reporting Content Security Policy (CSP) errors, the header is used in combination with the {{HTTPHeader("Content-Security-Policy")}}  header {{CSP("report-to")}}  directive. For more details on setting up CSP reporting, see the Content Security Policy (CSP) documentation.

[!NOTE] This header replaces {{HTTPHeader("Report-To")}}  {{deprecated_inline}}  for declaring endpoints, and should be used in preference.

Header type `{{Glossary("Response header")}}` 
`{{Glossary("Forbidden request header")}}`  No
`{{Glossary("CORS-safelisted response header")}}`  No

Syntax

Reporting-Endpoints: <endpoint>
Reporting-Endpoints: <endpoint>, …, <endpointN>

Examples

Setting a CSP violation report endpoint

The following example shows how the Reporting-Endpoints response header is used in conjunction with the {{HTTPHeader("Content-Security-Policy")}}  header to indicate where CSP violation reports are sent:

Reporting-Endpoints: csp-endpoint="https://example.com/csp-reports"
Content-Security-Policy: default-src 'self'; report-to csp-endpoint

Specifying multiple reporting endpoints

It’s possible to specify multiple endpoints that can be used for different types of violation reports.

Reporting-Endpoints: csp-endpoint="https://example.com/csp-reports",
                     permissions-endpoint="https://example.com/permissions-policy-reports"

Specifications

{{Specifications}} 

Browser compatibility

{{Compat}} 

See also

In this article

View on MDN