Standard HTTP response headers for the REST API

Content Platform Tenant Management Help

File Size
4269 KB
Part Number

In response to REST API requests, HCP returns some standard HTTP headers that address browser security concerns.

Header Value Description
  • no-cache
  • no-store
  • must-revalidate
Specifies directives that must be obeyed by all caching mechanisms along the request/response chain
Content-Security- Policy
  • default-src 'self'
  • script-src 'self'
  • script-src 'unsafe-eval'
  • script-src 'unsafe- inline'
  • connect-src 'self'
  • img-src 'self'
  • style-src 'self'
  • style-src 'unsafe-inline'
  • object-src 'self'
  • frame-ancestors 'self'
Restricts the content that the browser can load to the sources specified by the header value
Expires Thu, 01 Jan 1970 00:00:00 GMT Causes the response to become stale immediately after it is sent
Pragma no-cache Prevents the response from being used for subsequent requests for the same resource without the browser first checking whether the resource has changed
X-Content-Type- Options nosniff Prevents the browser from examining the returned content to determine the content MIME type
X-DNS-Prefetch- Control off Prevents the browser from performing domain name resolution on URLs embedded in returned content before the URLs are requested
X-Download- Options noopen Prevents the browser from opening resources that are downloaded through links in the returned content
X-Frame-Options SAMEORIGIN Prevents the browser from rendering the returned content in a frame on a page containing content not returned by the HCP system
X-XSS-Protection 1; mode=block Stops the browser from loading the returned content if the browser detects reflected cross-site scripting (XSS) in the response

HCP can also return several standard HTTP response headers that are not described in the help, including Connection, Content-Disposition, Content-Encoding, and Content-Language. For more information about HTTP response headers, see the HTTP/1.1 standards, RFCs 7230 through 7237.