In response to REST API requests, HCP returns some standard HTTP headers that address browser security concerns.
| Header | Value | Description |
|---|---|---|
| Cache-Control |
|
Specifies directives that must be obeyed by all caching mechanisms along the request/response chain |
| Content-Security- Policy |
|
Restricts the content that the browser can load to the sources specified by the header value |
| Expires | Thu, 01 Jan 1970 00:00:00 GMT | Causes the response to become stale immediately after it is sent |
| Pragma | no-cache | Prevents the response from being used for subsequent requests for the same resource without the browser first checking whether the resource has changed |
| X-Content-Type- Options | nosniff | Prevents the browser from examining the returned content to determine the content MIME type |
| X-DNS-Prefetch- Control | off | Prevents the browser from performing domain name resolution on URLs embedded in returned content before the URLs are requested |
| X-Download- Options | noopen | Prevents the browser from opening resources that are downloaded through links in the returned content |
| X-Frame-Options | SAMEORIGIN | Prevents the browser from rendering the returned content in a frame on a page containing content not returned by the HCP system |
| X-XSS-Protection | 1; mode=block | Stops the browser from loading the returned content if the browser detects reflected cross-site scripting (XSS) in the response |
HCP can also return several standard HTTP response headers that are not described in the help, including Connection, Content-Disposition, Content-Encoding, and Content-Language. For more information about HTTP response headers, see the HTTP/1.1 standards, RFCs 7230 through 7237.