For an HCP management API request, the HTTP response headers always include headers that address browser security concerns. These headers have fixed values. The table below describes these headers.
| Header | Value | Description |
|---|---|---|
| Cache-Control | no-cache,no-store,must- revalidate | Specifies directives that must be obeyed by all caching mechanisms along the request/response chain |
| Content-Security- Policy | default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe- inline'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'self'; frame-ancestors 'self'; | Restricts the content that the browser can load to the sources specified by the header value |
| Expires | Thu, 01 Jan 1970 00:00:00 GMT | Causes the response to become stale immediately after it is sent |
| Pragma | no-cache | Prevents the response from being used for subsequent requests for the same resource without the browser first checking whether the resource has changed |
| X-Content-Type- Options | nosniff | Prevents the browser from examining the returned content to determine the content MIME type |
| X-DNS-Prefetch- Control | off | Prevents the browser from performing domain name resolution on URLs embedded in returned content before the URLs are requested |
| X-Download- Options | noopen | Prevents the browser from opening resources that are downloaded through links in the returned content |
| X-Frame-Options | SAMEORIGIN | Prevents the browser from rendering the returned content in a frame on a page containing content not returned by the HCP system |
| X-XSS-Protection | 1; mode=block | Stops the browser from loading the returned content if the browser detects reflected cross-site scripting (XSS) in the response |
Note: The Cache-Control and Expires headers are not returned with error responses.