Standard HTTP response headers for the REST API

Content Platform Tenant Management Help

Version
9.7.x
File Size
4269 KB
Audience
anonymous
Part Number
MK-95HCPH002-19

In response to REST API requests, HCP returns some standard HTTP headers that address browser security concerns.

Header Value Description
Cache-Control
  • no-cache
  • no-store
  • must-revalidate
Specifies directives that must be obeyed by all caching mechanisms along the request/response chain
Content-Security- Policy
  • default-src 'self'
  • script-src 'self'
  • script-src 'unsafe-eval'
  • script-src 'unsafe- inline'
  • connect-src 'self'
  • img-src 'self'
  • style-src 'self'
  • style-src 'unsafe-inline'
  • object-src 'self'
  • frame-ancestors 'self'
Restricts the content that the browser can load to the sources specified by the header value
Expires Thu, 01 Jan 1970 00:00:00 GMT Causes the response to become stale immediately after it is sent
Pragma no-cache Prevents the response from being used for subsequent requests for the same resource without the browser first checking whether the resource has changed
X-Content-Type- Options nosniff Prevents the browser from examining the returned content to determine the content MIME type
X-DNS-Prefetch- Control off Prevents the browser from performing domain name resolution on URLs embedded in returned content before the URLs are requested
X-Download- Options noopen Prevents the browser from opening resources that are downloaded through links in the returned content
X-Frame-Options SAMEORIGIN Prevents the browser from rendering the returned content in a frame on a page containing content not returned by the HCP system
X-XSS-Protection 1; mode=block Stops the browser from loading the returned content if the browser detects reflected cross-site scripting (XSS) in the response

HCP can also return several standard HTTP response headers that are not described in the help, including Connection, Content-Disposition, Content-Encoding, and Content-Language. For more information about HTTP response headers, see the HTTP/1.1 standards, RFCs 7230 through 7237.