Network Error Logging reports

Network Error Logging (NEL) enables web applications to declare a reporting policy that can be used by the browser to report network errors for a given origin. DNS resolution errors, secure connection errors, HTTP errors like 404s, redirect loops etc. But you can even get HTTP 2xx, 3xx success reports, if you wish.

The NEL response header:

NEL: {"report_to":"default","max_age":1800,"include_subdomains":true}

The header can also contain these optional fields, both are a number between 0.0 and 1.0:

The Report-To response header:

Report-To: {"group":"default","max_age":1800,"endpoints":[{"url":""}],"include_subdomains":true}

Generate HTTP 404

, e.g.

show the code

Generate DNS resolution error

, e.g.

show the code

Generate TLS certificate error

One of the most useful NEL report types could be TLS error reports. Things like expired certificate sometimes happen even if you automate renewal and NEL offers an easy way to monitor for such issues. Now, testing TLS NEL reports is not exactly easy and cannot be done with just a few clicks here. The reason is that the browser needs to cache the NEL policy for the host first, and for that it needs a working and secure HTTPS connection (i.e. no errors). And then the same browser needs to encounter an error when loading a page using HTTPS from the same host, not even from the host's subdomain – that's because include_subdomains: true doesn't apply for the connection phase of the request for privacy reasons, and the connection phase is exactly where secure connection establishment errors occur. But you can…

Simulate a TLS error with Fiddler

Fiddler is a great HTTP debugging proxy originally written by Eric Lawrence and you can use it to inspect HTTP and HTTPS traffic (and much more). We'll use it to generate a TLS error in your browser. Although it would be possible to simulate an expired certificate with Fiddler, let's take the slightly easier path and simulate a certificate issued by an untrusted certification authority:

  1. Get Fiddler
  2. Load this page to cache the NEL policy – somehow I think you've already done this step
  3. Configure Fiddler to decrypt HTTPS traffic but DO NOT trust the Fiddler Root Certificate
  4. Load this page again and this is what's going to happen:
    1. Your browser will send a request to the Fiddler proxy
    2. The proxy will resend it to the server
    3. The server will respond to Fiddler, encrypting the traffic with a valid certificate
    4. Fiddler will validate the certificate produced by the server and decrypt the traffic
    5. Fiddler will re-encrypt the traffic with it's own Root Certificate
    6. But your browser doesn't trust the Root Certificate and will show an Invalid Certification Authority error or similar
    7. Your browser will also generate the NEL report
  5. Exit Fiddler now (or stop capturing traffic using F12) before your browser will try to actually send the generated report
  6. Check your reports (can take some time before the browser sends the report)
  7. You should see a network-error report with "type": "tls.cert.authority_invalid", "phase": "connection" and if this would be a report for an expired certificate, you'd see tls.cert.date_invalid type

See also Chrome's list of all NEL types.

Related specs & documents