feat: Extend #4925 Security response headers to include Reporting-Endpoints header to aid in CSP debugging

[mgetzflex]

Check Existing Issues

• I have searched for all existing open AND closed issues and discussions for similar requests. I have found none that is comparable to my request.

Verify Feature Scope

• I have read through and understood the scope definition for feature requests in the Issues section. I believe my feature request meets the definition and belongs in the Issues section instead of the Discussions.

Problem Description

As a SecDevOps engineer looking to harden my instance of Open-WebUi I need the ability to set the Reporting-Endpoints header such that I can receive the CSP violation reports directly rather than having to wait on users to report them

Desired Solution you'd like

Extend #4925 by adding a new handler for REPORTING_ENDPOINTS environment variable. That then sets the Reporting-Endpoints header if set.

Alternatives Considered

None.

Additional Context

This is a nice to have, but not critical. It would help get CSPs locked down. It should be quick to implement as it can be completely contained within backend/open_webui/utils/security_headers.py

# Set Reporting-Endpoints response header
def set_reporting_endpoints(value: str):
    return {"Reporting-Endpoints": value}

[tjbck]

Addressed in dev.