Security-related response headers

For an HCP management API request, the HTTP response headers always include headers that address browser security concerns. These headers have fixed values. The table below describes these headers.

HeaderValueDescription
Cache-Controlno-cache,no-store,must- revalidateSpecifies directives that must be obeyed by all caching mechanisms along the request/response chain
Content-Security- Policydefault-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe- inline'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'self'; frame-ancestors 'self';Restricts the content that the browser can load to the sources specified by the header value
ExpiresThu, 01 Jan 1970 00:00:00 GMTCauses the response to become stale immediately after it is sent
Pragmano-cachePrevents the response from being used for subsequent requests for the same resource without the browser first checking whether the resource has changed
X-Content-Type- OptionsnosniffPrevents the browser from examining the returned content to determine the content MIME type
X-DNS-Prefetch- ControloffPrevents the browser from performing domain name resolution on URLs embedded in returned content before the URLs are requested
X-Download- OptionsnoopenPrevents the browser from opening resources that are downloaded through links in the returned content
X-Frame-OptionsSAMEORIGINPrevents the browser from rendering the returned content in a frame on a page containing content not returned by the HCP system
X-XSS-Protection1; mode=blockStops the browser from loading the returned content if the browser detects reflected cross-site scripting (XSS) in the response
NoteThe Cache-Control and Expires headers are not returned with error responses.