CSP enabled but no Reporting-Endpoints header / report-to directive (~10% adoption)

Your site has a Content Security Policy (CSP) — a set of rules that controls what scripts and resources can load — but it is not set up to report violations back to you. Reporting endpoints are where those violation alerts get sent. Without reporting, your CSP runs silently. If something breaks for users, or if an attacker probes your policy, you will never know. Violation reports let you spot misconfigured policies before they block legitimate content, and detect real attack attempts. Add a Reporting-Endpoints header to your site and include a report-to directive in your CSP pointing to a reporting service (such as report-uri.com or your own endpoint). This is a monitoring improvement, not a security control on its own.