Reporting-Endpoints

As of January 7th, 2025 this header is listed as EXPERIMENTAL in the relevant Mozilla Developer Network link (see below). Also, this header is not currently recommended by the OWASP Secure Headers Project. As such, support for this header (as understood on January 7th, 2025) has been added in version 10.1.x, but it currently requires developer configuration. The functionality provided in the current version (10.1.x) does not guarantee that it will remain standards compliant, as the standard is still evolving. The header will become fully standards compliant once the standard has been ratified.

The Mozilla Developer Network describes the Reporting-Endpoints (COEP) header like this:

The HTTP Reporting-Endpoints response header allows website administrators to specify one or more endpoints that can be sent reports generated by the Reporting API
The endpoints can be used, for example, as targets for sending CSP violation reports, Cross-Origin-Opener-Policy reports, or other generic violations.
When used for reporting Content Security Policy (CSP) errors, the header is used in combination with the Content-Security-Policy header report-to directive. For more details on setting up CSP reporting, see the Content Security Policy (CSP) documentation.
source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Reporting-Endpoints

A Reporting-Endpoints header can be added in one way, via an extension method on the SecureHeadersMiddlewareBuilder class called UseReportingEndpointsPolicy:

var reportingEndpoints =
    new Dictionary<string, Uri> {
        { "standard", new Uri("https://localhost:5000/reporting-endpoint") }
    };
var secureHeadersMiddlewareConfig = SecureHeadersMiddlewareBuilder.CreateBuilder()
    .UseReportingEndpointsPolicy(reportingEndpoints)
    .Build();
app.UseSecureHeadersMiddleware(secureHeadersMiddlewareConfig);

The above adds the Reporting-Endpoint header with a value which maps the string “standard” to the URL “https://localhost:5000/reporting-endpoint”.

It is important to note that this header can be included without the [Content-Security-Policy] header. However if the Content-Security-Policy Report-To field is used WITHOUT the Reporting-Endpoints header being present (or containing an entry for the value used in the Report-To header), the CSP-generated report will not be send.

Full Options

Not applicable, as the Reporting-Endpoints header takes a Dictionary<string, Uri>.