HTTP Headers
Reporting Endpoints
HTTP Header
The HTTP Reporting-Endpoints response header allows website administrators to specify one or more endpoints to which reports generated by the Reporting API can be sent.
The endpoints can serve as targets for transmitting various reports, such as Content Security Policy (CSP) violation reports, Cross-Origin-Opener-Policy reports, or other types of violations.
When used for reporting Content Security Policy (CSP) errors, this header works together with the Content-Security-Policy header’s report-to directive.
For more information on setting up CSP reporting, consult the Content Security Policy (CSP) documentation.
| Header type | Response header |
|---|---|
| Forbidden request header | No |
| CORS-safelisted response header | No |
Syntax
http
Reporting-Endpoints: <endpoint>
Reporting-Endpoints: <endpoint>, …, <endpointN>
Reporting Endpoints specify where reports should be sent in a server-to-server communication.
Each reporting endpoint definition follows this format: <endpoint-name>="<URL>". The URL must be a valid URI enclosed in quotes, such as my-endpoint="https://example.com/reports". Non-secure endpoints (those that do not use HTTPS) are ignored. Multiple endpoints can be listed, separated by commas.
Directives
Examples
The following examples demonstrate how to configure response headers for Content Security Policy (CSP) violation reports.
Setting a CSP violation report endpoint
The first example shows how to specify a single endpoint where violation reports are sent, using the Reporting-Endpoints header in combination with the Content-Security-Policy header:
Reporting-Endpoints: csp-endpoint=”https://example.com/csp-reports”<br>Content-Security-Policy: default-src ‘self’; report-to csp-endpoint
Specifying multiple reporting endpoints
The second example illustrates how to configure multiple endpoints for different types of violation reports:
Reporting-Endpoints: csp-endpoint=”https://example.com/csp-reports”, permissions-endpoint=”https://example.com/permissions-policy-reports”
How to Modify Header using Requestly
Requestly is a powerful Chrome extension that allows you to modify HTTP headers, including the Reporting-Endpoints header. This can help you test how your site handles reporting features or troubleshoot delivery of reports to different endpoints. Steps to Modify the Reporting-Endpoints Header:
- Install and open the Requestly Chrome extension. You can find it on the Chrome Web Store.
- Create a new rule: Click on “Create Rule” and choose “Modify Headers” from the list of available rule types.
- Add a new header modification:
- Under “Action”, select “Add” or “Override”.
- In the “Header Name” field, enter Reporting-Endpoints.
- In the “Header Value” field, enter your desired endpoint configuration (e.g., default=”https://example.com/reports”).
- Set the URL condition: Specify the URL or pattern where this header change should apply (e.g., https://your-website.com/*).
- Save the rule.
Once set up, Requestly will inject the Reporting-Endpoints header with your configured value into all matching requests, enabling you to test or modify how and where browser reports are sent.
Modifying the Reporting-Endpoints header is useful to control or redirect browser reports such as network errors or performance metrics to a custom endpoint. This helps developers test monitoring setups or debug reporting issues without changing server configurations.
Table of Contents
- No headings found.
