Reporting-Endpoints
Response header Security

Overview

Reporting-Endpoints is the Reporting API v1 configuration header, simply mapping report-group names to receiving URLs as name="url" pairs. It is the modern, recommended way to define destinations for collecting CSP, COOP, COEP, deprecation, and other reports.

Details

The syntax is a Structured Fields dictionary where each item pairs a group name with a double-quoted absolute URL, e.g. Reporting-Endpoints: csp-endpoint="https://example.com/csp", default="https://example.com/reports". Other headers reference these names to find a destination, as in CSP's report-to csp-endpoint. It is less error-prone than hand-assembling the JSON of Report-To.

The default group is a special convention: reports without an explicit group (browser interventions, API deprecations, crashes, etc.) are sent under this name. So defining just default lets you collect a variety of browser reports in one place.

URLs must be absolute HTTPS, and the header is valid only in a secure context. Reports are POSTed as an array in application/reports+json, and the browser may batch and retry them, so do not assume real-time delivery. A cross-origin collection endpoint needs its own preflight/CORS considerations.

Syntax

Reporting-Endpoints: <name>="<url>"[, <name>="<url>"]*

e.g. Reporting-Endpoints: csp-endpoint="https://example.com/csp", default="https://example.com/reports"

Directives / values

<name>="<url>"A pair of report-group name and the absolute HTTPS URL to POST those reports to; CSP report-to etc. reference this name.
defaultThe conventional default group name; reports without an explicit group (deprecation, intervention, etc.) go here.

Notes

Related headers

Related status codes

Specification