Reporting-Endpoints

The HTTP Reporting-Endpoints response header declares named endpoints where the browser sends reports such as CSP violations, deprecation warnings, intervention notices, and crash logs.

Table of Contents

Usage
Directives
- endpoint-name
Example
Takeaway
See also

Usage

The Reporting-Endpoints header is part of the W3C Reporting API and serves as the successor to Report-To. Where Report-To uses JSON objects with nested arrays, Reporting-Endpoints uses a simpler key-value syntax resembling Structured Fields.

A server includes one or more named endpoints in the header value. Each endpoint is a key paired with a quoted URL. Other headers reference these endpoint names to route specific report types. For example, a Content-Security-Policy header uses the report-to directive with the endpoint name to direct violation reports to the declared URL.

Reports are sent out-of-band by the browser in the background. The endpoint URLs must be HTTPS. The browser silently discards endpoints with non-secure URLs.

Directives

endpoint-name

The endpoint-name is a token identifying the reporting destination. The name is referenced by other HTTP headers such as Content-Security-Policy or Cross-Origin-Opener-Policy to route their reports. The value paired with the name is a quoted URL pointing to the collection endpoint.

Multiple endpoints are separated by commas, each with its own name and URL.

Example

A single endpoint named default collects all report types not routed to a specific named endpoint. The browser sends deprecation warnings, intervention notices, and crash reports to this URL automatically.

Reporting-Endpoints: default="https://reports.example.re/default"

A CSP violation endpoint named csp-endpoint receives Content-Security-Policy violation reports. The matching Content-Security-Policy header ties violations to this endpoint through its report-to directive.

Reporting-Endpoints: csp-endpoint="https://reports.example.re/csp"
Content-Security-Policy: default-src 'self'; report-to csp-endpoint

Multiple endpoints in a single header cover different report categories. The coop_report endpoint handles Cross-Origin-Opener-Policy violations while permissions_policy handles Permissions-Policy violations. A default endpoint catches everything else.

Reporting-Endpoints: coop_report="https://reports.example.re/coop", default="https://reports.example.re/browser-errors", permissions_policy="https://reports.example.re/permissions"

Takeaway

The Reporting-Endpoints response header defines named HTTPS endpoints for browser-generated reports, replacing Report-To with a simpler key-value syntax.