Update Content Security Policy | ArcGIS REST APIs

URL:: https://<root>/security/config/updateContentSecurityPolicy
Methods:: POST
Version Introduced:: 11.5

Access requirements

Required privileges

The Sever Administrator API requires privilege-based access. An administrator must be assigned a specific user privilege, or role, to access any given endpoint. Listed below are the user privileges or roles an administrator can be assigned that provides access to this endpoint. If multiple privileges are listed, only one needs to be assigned to gain access.

Security and infrastructure Servers

Note that administrators assigned a custom role must also have the administrative View all content privilege assigned to them to access the API directory as an administrator.

Tokens

This API requires token-based authentication. A token is automatically generated for administrators who sign in to the Server Administrator API directory's HTML interface. Tokens generated in this way are stored for the entirety of the session.

Those accessing the API directory outside of the HTML interface will need to acquire a session token from the generateToken operation in the Portal Directory API. For security reasons, all POST requests made to the Server Administrator API must include a token in the request body.

Learn how to generate a token

Description

The updateContentSecurityPolicy operation updates the Content-Security-Policy (CSP) response headers that are included when accessing different components of ArcGIS Server.

Currently, this operation only supports setting one CSP response header. When set, this response header is applied to each HTML page in the Services Directory and prevents the JavaScript used in XSS attacks from running, which allows organizations to protect themselves from XSS attacks while keeping the HTML view of the Services Directory enabled.

Request parameters

Parameter Details

Parameter	Details
`contentSecurityPolicy` (Required)	A JSON object that specifies the Content-Security-Policy response headers being applied. Currently, this property only supports defining the CSP response header for `rest` which applies to each HTML page in the Services Directory. The default value for `rest` is `script-src 'self';`. Note The values for CSP response headers can be one or more of the CSP directives based on the CSP specifications. For more information on CSP syntax and directives, reference the Content-Security-Policy documentation maintained by MDN Web Docs. Use dark colors for code blocksCopy `1 contentSecurityPolicy={"rest": "script-src 'self';"}`
`f`	The response format. The default format is `html`. Values: `html` \| `json` \| `pjson`

contentSecurityPolicy

(Required)

A JSON object that specifies the Content-Security-Policy response headers being applied. Currently, this property only supports defining the CSP response header for rest which applies to each HTML page in the Services Directory. The default value for rest is script-src 'self';.

Use dark colors for code blocksCopy
contentSecurityPolicy={"rest": "script-src 'self';"}

f

The response format. The default format is html.

Values: html | json | pjson

Example usage

The following is a sample POST request for the updateContentSecurityPolicy operation:

Use dark colors for code blocksCopy
POST /<context>/admin/security/config/updateContentSecurityPolicy HTTP/1.1
Host: organization.example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: []

contentSecurityPolicy={"rest": "script-src 'self';"}&f=pjson

JSON Response example

Use dark colors for code blocksCopy
{"status": "success"}