Update Content Security Policy | ArcGIS REST APIs

URL:: https://<root>/security/config/updateContentSecurityPolicy
Methods:: POST
Version Introduced:: 11.5

Access requirements

Required privileges

The Sever Administrator API requires privilege-based access. An administrator must be assigned a specific user privilege, or role, to access any given endpoint. Listed below are the user privileges or roles an administrator can be assigned that provides access to this endpoint. If multiple privileges are listed, only one needs to be assigned to gain access.

Security and infrastructure Servers

Note that administrators assigned a custom role must also have the administrative View all content privilege assigned to them to access the API directory as an administrator.

Tokens

This API requires token-based authentication. A token is automatically generated for administrators who sign in to the ArcGIS Server Administrator API directory's HTML interface. Tokens generated in this way are stored for the entirety of the session.

Those accessing the API directory outside of the HTML interface will need to acquire a session token from the ArcGIS Server Administrator API generateToken operation. For security reasons, all POST requests made to the ArcGIS Server Administrator API must include a token in the request body.

Learn how to generate a token

Description

The updateContentSecurityPolicy operation updates the Content-Security-Policy (CSP) response headers that are included when accessing different components of ArcGIS Server.

At ArcGIS Enterprise 11.5, this operation only supported setting one CSP response header, rest. At 12.0, this operation can also be used to set the admin response header. These response headers are applied to each HTML page in the Services Directory and Administrator Directory, respectively. These headers prevent the JavaScript used in XSS attacks from running, which allows organizations to protect themselves from XSS attacks while keeping the HTML view of the API directories enabled.

Request parameters

Parameter Details

Parameter	Details
`contentSecurityPolicy` (Required)	A JSON object that specifies the Content-Security-Policy response headers being applied. This operation supports setting CSP response headers for `rest` and `admin`. The default value for each is `script-src 'self';`. Note The values for CSP response headers can be one or more of the CSP directives based on the CSP specifications. For more information on CSP syntax and directives, reference the Content-Security-Policy documentation maintained by MDN Web Docs. Use dark colors for code blocksCopy `1 contentSecurityPolicy={"rest": "script-src 'self';"}`
`f`	The response format. The default format is `html`. Values: `html` \| `json` \| `pjson`

contentSecurityPolicy

(Required)

A JSON object that specifies the Content-Security-Policy response headers being applied. This operation supports setting CSP response headers for rest and admin. The default value for each is script-src 'self';.

Use dark colors for code blocksCopy
contentSecurityPolicy={"rest": "script-src 'self';"}

f

The response format. The default format is html.

Values: html | json | pjson

Example usage

The following is a sample POST request for the updateContentSecurityPolicy operation:

Use dark colors for code blocksCopy
POST /<context>/admin/security/config/updateContentSecurityPolicy HTTP/1.1
Host: organization.example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: []

contentSecurityPolicy={"rest": "script-src 'self';","admin": "script-src 'self';"}&f=pjson&token=<token>

JSON Response example

Use dark colors for code blocksCopy
{"status": "success"}