[GH-ISSUE #21830] feat: Extend #4925 Security response headers to include Reporting-Endpoints header to aid in CSP debugging #35116

New Issue

Closed

opened 2026-04-25 09:19:27 -05:00 by GiteaMirror · 1 comment

GiteaMirror commented 2026-04-25 09:19:27 -05:00

Owner

Copy Link

Originally created by @mgetzflex on GitHub (Feb 24, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/21830

Check Existing Issues

• I have searched for all existing open AND closed issues and discussions for similar requests. I have found none that is comparable to my request.

Verify Feature Scope

• I have read through and understood the scope definition for feature requests in the Issues section. I believe my feature request meets the definition and belongs in the Issues section instead of the Discussions.

Problem Description

As a SecDevOps engineer looking to harden my instance of Open-WebUi I need the ability to set the Reporting-Endpoints header such that I can receive the CSP violation reports directly rather than having to wait on users to report them

Desired Solution you'd like

Extend #4925 by adding a new handler for REPORTING_ENDPOINTS environment variable. That then sets the Reporting-Endpoints header if set.

Alternatives Considered

None.

Additional Context

This is a nice to have, but not critical. It would help get CSPs locked down. It should be quick to implement as it can be completely contained within backend/open_webui/utils/security_headers.py

# Set Reporting-Endpoints response header
def set_reporting_endpoints(value: str):
    return {"Reporting-Endpoints": value}

Originally created by @mgetzflex on GitHub (Feb 24, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/21830 ### Check Existing Issues - [x] I have searched for all existing **open AND closed** issues and discussions for similar requests. I have found none that is comparable to my request. ### Verify Feature Scope - [x] I have read through and understood the scope definition for feature requests in the Issues section. I believe my feature request meets the definition and belongs in the Issues section instead of the Discussions. ### Problem Description As a SecDevOps engineer looking to harden my instance of Open-WebUi I need the ability to set the [`Reporting-Endpoints`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Reporting-Endpoints) header such that I can receive the CSP violation reports directly rather than having to wait on users to report them ### Desired Solution you'd like Extend #4925 by adding a new handler for `REPORTING_ENDPOINTS` environment variable. That then sets the `Reporting-Endpoints` header if set. ### Alternatives Considered None. ### Additional Context This is a nice to have, but not critical. It would help get CSPs locked down. It should be quick to implement as it can be completely contained within `backend/open_webui/utils/security_headers.py` ```python # Set Reporting-Endpoints response header def set_reporting_endpoints(value: str): return {"Reporting-Endpoints": value} ```

GiteaMirror closed this issue 2026-04-25 09:19:28 -05:00

GiteaMirror commented 2026-04-25 09:19:29 -05:00

Author

Owner

Copy Link

@tjbck commented on GitHub (Feb 24, 2026):

Addressed in dev.

<!-- gh-comment-id:3954643521 --> @tjbck commented on GitHub (Feb 24, 2026): Addressed in dev.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev

v0.9.2

v0.9.1

v0.9.0

v0.8.12

v0.8.11

v0.8.10

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.43

v0.6.42

v0.6.41

v0.6.40

v0.6.39

v0.6.38

v0.6.37

v0.6.36

v0.6.35

v0.6.34

v0.6.33

v0.6.32

v0.6.31

v0.6.30

v0.6.29

v0.6.28

v0.6.27

v0.6.26

v0.6.25

v0.6.24

v0.6.23

v0.6.22

v0.6.21

v0.6.20

v0.6.19

v0.6.18

v0.6.17

v0.6.16

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.20

v0.5.19

v0.5.18

v0.5.17

v0.5.16

v0.5.15

v0.5.14

v0.5.13

v0.5.12

v0.5.11

v0.5.10

v0.5.9

v0.5.8

v0.5.7

v0.5.6

v0.5.5

v0.5.4

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.35

v0.3.34

v0.3.33

v0.3.32

v0.3.31

v0.3.30

v0.3.29

v0.3.28

v0.3.27

v0.3.26

v0.3.25

v0.3.24

v0.3.23

v0.3.22

v0.3.21

v0.3.20

v0.3.19

v0.3.18

v0.3.17

v0.3.16

v0.3.15

v0.3.14

v0.3.13

v0.3.12

v0.3.11

v0.3.10

v0.3.9

v0.3.8

v0.3.7

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.125

v0.1.124

v0.1.123

v0.1.122

v0.1.121

v0.1.120

v0.1.119

v0.1.118

v0.1.117

v0.1.116

v0.1.115

v0.1.114

v0.1.113

v0.1.112

v0.1.111

v0.1.110

v0.1.109

v0.1.108

v0.1.107

v0.1.106

v0.1.105

v0.1.104

v0.1.103

v0.1.102

Labels

Clear labels

bug

confirmed

confirmed issue

core

documentation

enhancement

good first issue

help wanted

non-core

pull-request

Mirrored from GitHub Pull Request

python

question

testing wanted

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#35116