Reporting-Endpoints HTTP Header
TheReporting-Endpoints HTTP response header provides a modern mechanism for website administrators to define endpoints where browsers should send reports about security policy violations and other browser-level issues. It works alongside Content Security Policy and other security headers to provide visibility into security events happening in users' browsers.
Understanding Reporting-Endpoints
TheReporting-Endpoints header defines named endpoints that can be referenced by other security headers. This creates a centralized way to manage where different types of security reports will be sent.
Basic Reporting-Endpoints header configuration
Reporting-Endpoints: csp-endpoint="https://report.centralcsp.com/<myendpoint>"report-to directive would reference an endpoint name defined in the Reporting-Endpoints header:
Reporting-Endpoints header working with CSP
HTTP/1.1 200 OK
Content-Type: text/html
Reporting-Endpoints: csp-endpoint="https://report.centralcsp.com/<myendpoint>"
Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted-scripts.com; report-to csp-endpointMonitor CSP violations effectively
Get comprehensive visibility into security policy violations with our centralized reporting platform.
Start Monitoring with a 14 days free trialIntegration with Security Headers
The Reporting-Endpoints header is designed to work with security features:Content Security Policy (CSP)
CSP uses thereport-to directive to specify which endpoint should receive violation reports:
CSP using report-to directive
Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted-cdn.com; report-to csp-endpointReal-World Implementation Example
Here's a comprehensive example showing how Reporting-Endpoints can be used with security headers:Comprehensive security headers with Reporting-Endpoints
HTTP/1.1 200 OK
Content-Type: text/html
Reporting-Endpoints: security-endpoint="https://report.centralcsp.com/<myendpoint>"
Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted-cdn.com; report-to security-endpointReport Format
When a CSP violation occurs, the browser sends a JSON report to the specified endpoint. Here's an example of what a CSP violation report looks like:Example CSP violation report
{
"type": "csp-violation",
"age": 10,
"url": "https://example.com/page.html",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
"body": {
"blocked-uri": "https://malicious-site.com/script.js",
"disposition": "enforce",
"document-uri": "https://example.com/page.html",
"effective-directive": "script-src",
"original-policy": "default-src 'self'; script-src 'self' https://trusted-cdn.com; report-to security-endpoint",
"referrer": "",
"status-code": 0,
"violated-directive": "script-src"
}
}Report Processing
These reports can be collected and analyzed to identify security issues, malicious attacks, or configuration problems in your security policies.
Technical Considerations
Important
Reporting endpoints must be served over HTTPS to ensure secure transmission of violation data. Consider using report-uri as a fallback for older browsers.
Related Resources
- MDN Web Docs: Reporting-Endpoints
- Google Web Fundamentals: Reporting API
- CSP Reporting and Monitoring
Conclusion
The Reporting-Endpoints header provides a modern and efficient way to monitor security policy violations. By properly configuring this header with your Content Security Policy, you can maintain a robust security posture while ensuring your web applications remain protected against potential threats.