Reporting-EndpointsReporting-Endpoints is the Reporting API v1 configuration header, simply mapping report-group names to receiving URLs as name="url" pairs. It is the modern, recommended way to define destinations for collecting CSP, COOP, COEP, deprecation, and other reports.
The syntax is a Structured Fields dictionary where each item pairs a group name with a double-quoted absolute URL, e.g. Reporting-Endpoints: csp-endpoint="https://example.com/csp", default="https://example.com/reports". Other headers reference these names to find a destination, as in CSP's report-to csp-endpoint. It is less error-prone than hand-assembling the JSON of Report-To.
The default group is a special convention: reports without an explicit group (browser interventions, API deprecations, crashes, etc.) are sent under this name. So defining just default lets you collect a variety of browser reports in one place.
URLs must be absolute HTTPS, and the header is valid only in a secure context. Reports are POSTed as an array in application/reports+json, and the browser may batch and retry them, so do not assume real-time delivery. A cross-origin collection endpoint needs its own preflight/CORS considerations.
Reporting-Endpoints: <name>="<url>"[, <name>="<url>"]*e.g. Reporting-Endpoints: csp-endpoint="https://example.com/csp", default="https://example.com/reports"
<name>="<url>" | A pair of report-group name and the absolute HTTPS URL to POST those reports to; CSP report-to etc. reference this name. |
default | The conventional default group name; reports without an explicit group (deprecation, intervention, etc.) go here. |