1. Web
  2. HTTP
  3. Reference
  4. Headers
  5. Reporting-Endpoints

Reporting-Endpoints header

Baseline 2026
Newly available

Since March 2026, this feature works across the latest devices and browser versions. This feature might not work in older devices or browsers.

The HTTP Reporting-Endpoints response header allows website administrators to specify one or more endpoints that can be sent reports generated by the Reporting API.

The endpoints can be used, for example, as targets for sending CSP violation reports, Cross-Origin-Opener-Policy reports, or other generic violations.

When used for reporting Content Security Policy (CSP) errors, the header is used in combination with the Content-Security-Policy header report-to directive. For more details on setting up CSP reporting, see the Content Security Policy (CSP) documentation.

Note: This header replaces Report-To for declaring endpoints, and should be used in preference.

Header type Response header
CORS-safelisted response header No

Syntax

http
Reporting-Endpoints: <endpoint>
Reporting-Endpoints: <endpoint>, …, <endpointN>
<endpoint>

A reporting endpoint in the format <endpoint-name>="<URL>". The endpoints must have valid URIs in quoted strings (e.g., my-endpoint="https://example.com/reports") and non-secure endpoints are ignored. A comma-separated list of endpoints may be provided.

Examples

Setting a CSP violation report endpoint

The following example shows how the Reporting-Endpoints response header is used in conjunction with the Content-Security-Policy header to indicate where CSP violation reports are sent:

http
Reporting-Endpoints: csp-endpoint="https://example.com/csp-reports"
Content-Security-Policy: default-src 'self'; report-to csp-endpoint

Specifying multiple reporting endpoints

It's possible to specify multiple endpoints that can be used for different types of violation reports.

http
Reporting-Endpoints: csp-endpoint="https://example.com/csp-reports",
                     permissions-endpoint="https://example.com/permissions-policy-reports"

Specifications

Specification
Reporting API
# header-field-registration

Browser compatibility

See also

Help improve MDN

Learn how to contribute

This page was last modified on by MDN contributors.

View this page on GitHubReport a problem with this content