HTTP Security Headers API

Apply and manage HTTP security headers for SAP-branded view and click domains.

This API supports create, read, update, and delete (CRUD) operations. Image and CloudPage domains aren't supported.

Available Headers

The HTTP Security Headers API supports a discrete set of header and value pairs. Developers select which headers to apply from these nine options.

HeaderValue
Content-Security-Policydefault-src 'self'; frame-ancestors 'self'
X-Frame-OptionsSAMEORIGIN
X-Content-Type-Optionsnosniff
Referrer-Policyorigin-when-cross-origin
Strict-Transport-Securitymax-age=31536000; includeSubDomains
Cache-Controlno-cache, must-revalidate, max-age=0, no-store, private
X-XSS-Protection1; mode=block
Permissions-Policygeolocation=(self), microphone=()
Set-Cookiestrict

The Content-Security-Policy sometimes breaks external content when applied to view domains. For example, it's possible to break an image that's hosted on another domain. Test your pages to ensure that your content renders as intended.

Base URI

In this base URI example, the abbreviation {tse} is a placeholder that occupies the place of the Marketing Cloud account’s “tenant-specific-endpoint”.

FunctionMethodRoutePermissions
Get All HTTP Security HeadersGET/messaging/v1/securityHeaders/allSecurity > HTTP Headers > View
Get HTTP Security HeadersGET/messaging/v1/securityHeadersSecurity > HTTP Headers > View
Update HTTP Security HeadersPOST/messaging/v1/securityHeadersSecurity > HTTP Headers > Update
Delete HTTP Security HeadersDELETE/messaging/v1/securityHeaders/{PageType}Security > HTTP Headers > Delete

This API uses the standard error status codes outlined on the Handle Errors in REST API page.