Update Content Security Policy

URL:
https://<root>/security/config/updateContentSecurityPolicy
Methods:
POST
Version Introduced:
11.5

Description

The updateContentSecurityPolicy operation updates the Content-Security-Policy (CSP) response headers that are included when accessing different components of ArcGIS Server.

Currently, this operation only supports setting one CSP response header. When set, this response header is applied to each HTML page in the Services Directory and prevents the JavaScript used in XSS attacks from running, which allows organizations to protect themselves from XSS attacks while keeping the HTML view of the Services Directory enabled.

Request parameters

ParameterDetails

contentSecurityPolicy

(Required)

A JSON object that specifies the Content-Security-Policy response headers being applied. Currently, this property only supports defining the CSP response header for rest which applies to each HTML page in the Services Directory. The default value for rest is script-src 'self';.

Use dark colors for code blocksCopy
1
contentSecurityPolicy={"rest": "script-src 'self';"}

f

The response format. The default format is html.

Values: html | json | pjson

Example usage

The following is a sample POST request for the updateContentSecurityPolicy operation:

Use dark colors for code blocksCopy
1
2
3
4
5
6
POST /<context>/admin/security/config/updateContentSecurityPolicy HTTP/1.1
Host: organization.example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: []

contentSecurityPolicy={"rest": "script-src 'self';"}&f=pjson

JSON Response example

Use dark colors for code blocksCopy
1
{"status": "success"}

Your browser is no longer supported. Please upgrade your browser for the best experience. See our browser deprecation post for more details.