diff --git a/docs/security-legal-pii/security/security-policy-reporting.mdx b/docs/security-legal-pii/security/security-policy-reporting.mdx
index b9a2e63d39639..c3075d53c9ae9 100644
--- a/docs/security-legal-pii/security/security-policy-reporting.mdx
+++ b/docs/security-legal-pii/security/security-policy-reporting.mdx
@@ -21,11 +21,12 @@ Content-Security-Policy: ...;
     report-to csp-endpoint
 
 Report-To: {"group":"csp-endpoint","max_age":10886400,"endpoints":[{"url":"https://___ORG_INGEST_DOMAIN___/api/___PROJECT_ID___/security/?sentry_key=___PUBLIC_KEY___"}],"include_subdomains":true}
+Reporting-Endpoints: csp-endpoint="https://___ORG_INGEST_DOMAIN___/api/___PROJECT_ID___/security/?sentry_key=___PUBLIC_KEY___"
 ```
 
 <Alert level="note" title="Compatibility Recommendation">
 
-Though the `report-to` directive is intended to replace the deprecated `report-uri` directive, `report-to` isn't supported in most browsers yet. So for compatibility with current browsers while also adding forward compatibility when browsers get `report-to` support, you can specify both `report-uri` and `report-to` in your Content-Security-Policy (CSP).
+Though the `report-to` directive is intended to replace the deprecated `report-uri` directive, `report-to` isn't supported in most browsers yet. So for compatibility with current browsers while also adding forward compatibility when browsers get `report-to` support, you can specify both `report-uri` and `report-to` in your Content-Security-Policy (CSP), as well as [Report-To](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Report-To) and [Reporting-Endpoints](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Reporting-Endpoints) headers.
 
 </Alert>
 
@@ -38,6 +39,7 @@ Content-Security-Policy-Report-Only: ...;
     report-to csp-endpoint
 
 Report-To: {"group":"csp-endpoint","max_age":10886400,"endpoints":[{"url":"https://___ORG_INGEST_DOMAIN___/api/___PROJECT_ID___/security/?sentry_key=___PUBLIC_KEY___"}],"include_subdomains":true}
+Reporting-Endpoints: csp-endpoint="https://___ORG_INGEST_DOMAIN___/api/___PROJECT_ID___/security/?sentry_key=___PUBLIC_KEY___"
 ```
 
 When defining your policy it is important to ensure that `sentry.io` or your self-hosted Sentry domain is in your `default-src` or `connect-src` policy, or browsers will block requests that submit policy violations.