HTTP Security Headers API
Apply and manage HTTP security headers for SAP-branded view and click domains.
This API supports create, read, update, and delete (CRUD) operations. Image and CloudPage domains aren't supported.
The HTTP Security Headers API supports a discrete set of header and value pairs. Developers select which headers to apply from these nine options.
| Header | Value |
|---|---|
Content-Security-Policy | default-src 'self'; frame-ancestors 'self' |
X-Frame-Options | SAMEORIGIN |
X-Content-Type-Options | nosniff |
Referrer-Policy | origin-when-cross-origin |
Strict-Transport-Security | max-age=31536000; includeSubDomains |
Cache-Control | no-cache, must-revalidate, max-age=0, no-store, private |
X-XSS-Protection | 1; mode=block |
Permissions-Policy | geolocation=(self), microphone=() |
Set-Cookie | strict |
The Content-Security-Policy sometimes breaks external content when applied to view domains. For example, it's possible to break an image that's hosted on another domain.
Test your pages to ensure that your content renders as intended.
In this base URI example, the abbreviation {tse} is a placeholder that occupies the place of the tenant-specific-endpoint for the account.
| Function | Method | Route | Permissions |
|---|---|---|---|
| Get All HTTP Security Headers | GET | /messaging/v1/securityHeaders/all | Security > HTTP Headers > View |
| Get HTTP Security Headers | GET | /messaging/v1/securityHeaders | Security > HTTP Headers > View |
| Update HTTP Security Headers | POST | /messaging/v1/securityHeaders | Security > HTTP Headers > Update |
| Delete HTTP Security Headers | DELETE | /messaging/v1/securityHeaders/{PageType} | Security > HTTP Headers > Delete |
This API uses the standard error status codes outlined on the Handle Errors in REST API page.