NEL
Response header Security

Overview

NEL (Network Error Logging) is a header that has the browser observe network-level request success/failure for an origin (DNS failures, TCP resets, TLS errors, protocol errors, etc.) and report them to the server. It captures, from the client's vantage point, even 'never connected' failures that never reach server logs.

Details

The value is a JSON object with report_to (the report group name), max_age (policy lifetime), include_subdomains, success_fraction, and failure_fraction. The group named by report_to must be defined in a Reporting-Endpoints (or legacy Report-To) header, and network-error reports are sent to that endpoint.

NEL's real value is catching failures the server can never see: if a user's DNS breaks, an intermediate network resets TCP, or a TLS handshake fails, the request never reaches the server and server logs are empty. NEL has the browser record such events and send them later (once connectivity recovers), letting you remotely diagnose CDN/edge outages or region-specific network issues.

A typical setup keeps success_fraction low (e.g. 0.01) to sample only some healthy requests while setting failure_fraction to 1.0 so no failures are missed. Reports include request URL, status, error type, server IP, and protocol, which is privacy-sensitive, so collection and retention must be designed carefully.

Syntax

NEL: { "report_to": "<group>", "max_age": <seconds>, "include_subdomains": <bool>, "failure_fraction": <0..1> }

e.g. NEL: {"report_to":"default","max_age":2592000,"include_subdomains":true,"failure_fraction":1.0}

Directives / values

report_toThe Reporting-Endpoints/Report-To group name to send network-error reports to.
max_ageHow long (seconds) the browser retains this NEL policy.
include_subdomainsIf true, applies this policy to subdomains as well.
success_fraction / failure_fractionSampling fraction (0.0-1.0) of successful/failed requests to report; failures often 1.0, successes low.

Notes

Related headers

Related status codes

Specification