HTTP Security Headers API

Apply and manage HTTP security headers for SAP-branded view and click domains.

This API supports create, read, update, and delete (CRUD) operations. Image and CloudPage domains aren't supported.

The HTTP Security Headers API supports a discrete set of header and value pairs. Developers select which headers to apply from these nine options.

Content-Security-Policydefault-src 'self'; frame-ancestors 'self'
Strict-Transport-Securitymax-age=31536000; includeSubDomains
Cache-Controlno-cache, must-revalidate, max-age=0, no-store, private
X-XSS-Protection1; mode=block
Permissions-Policygeolocation=(self), microphone=()

The Content-Security-Policy sometimes breaks external content when applied to view domains. For example, it's possible to break an image that's hosted on another domain. Test your pages to ensure that your content renders as intended.

In this base URI example, the abbreviation {tse} is a placeholder that occupies the place of the tenant-specific-endpoint for the account.

Get All HTTP Security HeadersGET/messaging/v1/securityHeaders/allSecurity > HTTP Headers > View
Get HTTP Security HeadersGET/messaging/v1/securityHeadersSecurity > HTTP Headers > View
Update HTTP Security HeadersPOST/messaging/v1/securityHeadersSecurity > HTTP Headers > Update
Delete HTTP Security HeadersDELETE/messaging/v1/securityHeaders/{PageType}Security > HTTP Headers > Delete

This API uses the standard error status codes outlined on the Handle Errors in REST API page.