Reporting-Endpoints HTTP Header

The Reporting-Endpoints HTTP response header provides a modern mechanism for website administrators to define endpoints where browsers should send reports about security policy violations and other browser-level issues. It works alongside Content Security Policy and other security headers to provide visibility into security events happening in users' browsers.

Understanding Reporting-Endpoints

The Reporting-Endpoints header defines named endpoints that can be referenced by other security headers. This creates a centralized way to manage where different types of security reports will be sent.

Basic Reporting-Endpoints header configuration

Reporting-Endpoints: csp-endpoint="https://report.centralcsp.com/<myendpoint>"
When used with Content Security Policy, the report-to directive would reference an endpoint name defined in the Reporting-Endpoints header:

Reporting-Endpoints header working with CSP

HTTP/1.1 200 OK
Content-Type: text/html
Reporting-Endpoints: csp-endpoint="https://report.centralcsp.com/<myendpoint>"
Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted-scripts.com; report-to csp-endpoint

Monitor CSP violations effectively

Get comprehensive visibility into security policy violations with our centralized reporting platform.

Start Monitoring with a 14 days free trial

Integration with Security Headers

The Reporting-Endpoints header is designed to work with security features:

Content Security Policy (CSP)

CSP uses the report-to directive to specify which endpoint should receive violation reports:

CSP using report-to directive

Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted-cdn.com; report-to csp-endpoint

Real-World Implementation Example

Here's a comprehensive example showing how Reporting-Endpoints can be used with security headers:

Comprehensive security headers with Reporting-Endpoints

HTTP/1.1 200 OK
Content-Type: text/html
Reporting-Endpoints: security-endpoint="https://report.centralcsp.com/<myendpoint>"
Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted-cdn.com; report-to security-endpoint
In this example, all security violations would be reported to the same endpoint.

Report Format

When a CSP violation occurs, the browser sends a JSON report to the specified endpoint. Here's an example of what a CSP violation report looks like:

Example CSP violation report

{
"type": "csp-violation",
"age": 10,
"url": "https://example.com/page.html",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
"body": {
  "blocked-uri": "https://malicious-site.com/script.js",
  "disposition": "enforce",
  "document-uri": "https://example.com/page.html",
  "effective-directive": "script-src",
  "original-policy": "default-src 'self'; script-src 'self' https://trusted-cdn.com; report-to security-endpoint",
  "referrer": "",
  "status-code": 0,
  "violated-directive": "script-src"
}
}

Report Processing

These reports can be collected and analyzed to identify security issues, malicious attacks, or configuration problems in your security policies.

Technical Considerations

Important

Reporting endpoints must be served over HTTPS to ensure secure transmission of violation data. Consider using report-uri as a fallback for older browsers.

Related Resources

Conclusion

The Reporting-Endpoints header provides a modern and efficient way to monitor security policy violations. By properly configuring this header with your Content Security Policy, you can maintain a robust security posture while ensuring your web applications remain protected against potential threats.