CSP origins

CSP origins allow you to configure domains, or origins, that Qlik Sense client visualizations/extensions are allowed to communicate with.

Download specification

Endpoints

GET

/v1/csp-origins
POST

/v1/csp-origins
GET

/v1/csp-origins/{id}
PUT

/v1/csp-origins/{id}
DELETE

/v1/csp-origins/{id}
GET

/v1/csp-origins/actions/generate-header

Retrieves all content security policies for a tenant.

Facts

Rate limit	Tier 1 (1000 requests per minute)
Categories	embed

Query Parameters

childSrcboolean

Filter resources by directive 'childSrc', true/false.
connectSrcboolean

Filter resources by directive 'connectSrc', true/false.
connectSrcWSSboolean

Filter resources by directive 'connectSrcWSS', true/false.
fontSrcboolean

Filter resources by directive 'fontSrc', true/false.
formActionboolean

Filter resources by directive 'formAction', true/false.
frameAncestorsboolean

Filter resources by directive 'frameAncestors', true/false.
frameSrcboolean

Filter resources by directive 'frameSrc', true/false.
imgSrcboolean

Filter resources by directive 'imgSrc', true/false.
limitnumber

Maximum number of CSP-Origins to retrieve.

minimum = 1, maximum = 100, default = 20, default = 20
mediaSrcboolean

Filter resources by directive 'mediaSrc', true/false.
namestring

Filter resources by name (wildcard and case insensitive).
nextstring

Cursor to the next page.
objectSrcboolean

Filter resources by directive 'objectSrc', true/false.
originstring

Filter resources by origin (wildcard and case insensitive).
prevstring

Cursor to previous next page.
scriptSrcboolean

Filter resources by directive 'scriptSrc', true/false.
sortstring

Field to sort by, prefix with -/+ to indicate order.

Can be one of: "name""-name""origin""-origin""createdDate""-createdDate""modifiedDate""-modifiedDate"
styleSrcboolean

Filter resources by directive 'styleSrc', true/false.
workerSrcboolean

Filter resources by directive 'workerSrc', true/false.

Responses

200

application/json

OK Response

application/jsonobject
Show application/json properties
- dataarray of objects
  
  Show data properties
  
  namestring
  
  The name for this entry.
  
  maxLength = 512
  
  imgSrcboolean
  
  Specifies valid sources of images and favicons.
  
  originstring
  Required
  
  The origin that the CSP directives should be applied to.
  
  maxLength = 256
  
  fontSrcboolean
  
  Specifies valid sources for loading fonts.
  
  childSrcboolean
  
  Defines the valid sources for loading web workers and nested browsing contexts using elements such as frame and iFrame.
  
  frameSrcboolean
  
  Specifies valid sources for loading nested browsing contexts using elements such as frame and iFrame.
  
  mediaSrcboolean
  
  Specifies valid sources for loading media using the audio and video elements.
  
  styleSrcboolean
  
  Specifies valid sources for stylesheets.
  
  objectSrcboolean
  
  Specifies valid sources for the object, embed, and applet elements.
  
  scriptSrcboolean
  
  Specifies valid sources for JavaScript.
  
  workerSrcboolean
  
  Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.
  
  connectSrcboolean
  
  Restricts the URLs that can be loaded using script interfaces.
  
  formActionboolean
  
  Allow forms to be submitted to the origin.
  
  createdDatestring
  
  The UTC timestamp when the CSP entry was created.
  
  format = "date-time"
  
  descriptionstring
  
  The reason for adding this origin to the Content Security Policy.
  
  maxLength = 1024
  
  modifiedDatestring
  
  The UTC timestamp when the CSP entry was last modified.
  
  format = "date-time"
  
  connectSrcWSSboolean
  
  Restricts the URLs that can be connected to websockets (all sources will be prefixed with 'wss://').
  
  frameAncestorsboolean
  
  Specifies valid sources for embedding the resource using frame, iFrame, object, embed and applet.
  
  idstring
  
  The CSP entry's unique identifier.
- linksobject
  
  Show links properties
  
  nextobject
  
  Show next properties
  
  hrefstring
  Required
  
  URL to a resource request.
  
  prevobject
  
  Show prev properties
  
  hrefstring
  Required
  
  URL to a resource request.
  
  selfobject
  
  Show self properties
  
  hrefstring
  Required
  
  URL to a resource request.

400

application/json

Bad Request

application/jsonobject
Show application/json properties
- errorsarray of objects
  
  Show errors properties
  
  codestring
  Required
  
  The unique code for the error.
  
  titlestring
  Required
  
  A summary of what went wrong.
  
  detailstring
  
  May be used to provide additional details.

401

application/json

Unauthorized

application/jsonobject
Show application/json properties
- errorsarray of objects
  
  Show errors properties
  
  codestring
  Required
  
  The unique code for the error.
  
  titlestring
  Required
  
  A summary of what went wrong.
  
  detailstring
  
  May be used to provide additional details.

403

application/json

Forbidden

application/jsonobject
Show application/json properties
- errorsarray of objects
  
  Show errors properties
  
  codestring
  Required
  
  The unique code for the error.
  
  titlestring
  Required
  
  A summary of what went wrong.
  
  detailstring
  
  May be used to provide additional details.

500

application/json

Internal Server Error

application/jsonobject
Show application/json properties
- errorsarray of objects
  
  Show errors properties
  
  codestring
  Required
  
  The unique code for the error.
  
  titlestring
  Required
  
  A summary of what went wrong.
  
  detailstring
  
  May be used to provide additional details.

503

application/json

Service Unavailable

application/jsonobject
Show application/json properties
- errorsarray of objects
  
  Show errors properties
  
  codestring
  Required
  
  The unique code for the error.
  
  titlestring
  Required
  
  A summary of what went wrong.
  
  detailstring
  
  May be used to provide additional details.

GET /v1/csp-origins

curl "https://your-tenant.us.qlikcloud.com/api/v1/csp-origins" \
-H "Authorization: Bearer <access_token>"

const https = require('https')
  const data = JSON.stringify("")
  const options =   {
    'hostname': 'https://your-tenant.us.qlikcloud.com',
    'port': 443,
    'path': '/api/v1/csp-origins',
    'method': 'GET',
    'headers': {
      'Authorization': 'Bearer <access_token>'
    }
  }
  const req = https.request(options)

qlik csp-origin ls

Response

{
  "data": [
    {
      "name": "string",
      "imgSrc": true,
      "origin": "string",
      "fontSrc": true,
      "childSrc": true,
      "frameSrc": true,
      "mediaSrc": true,
      "styleSrc": true,
      "objectSrc": true,
      "scriptSrc": true,
      "workerSrc": true,
      "connectSrc": true,
      "formAction": true,
      "createdDate": "2018-10-30T07:06:22Z",
      "description": "string",
      "modifiedDate": "2018-10-30T07:06:22Z",
      "connectSrcWSS": true,
      "frameAncestors": true,
      "id": "string"
    }
  ],
  "links": {
    "next": {
      "href": "string"
    },
    "prev": {
      "href": "string"
    },
    "self": {
      "href": "string"
    }
  }
}

Creates a new content security policy for an origin.

Facts

Rate limit	Tier 2 (100 requests per minute)
Categories	embed

Request Body

Required

application/json

application/jsonobject
Show application/json properties
- namestring
  
  The name for this entry.
  
  maxLength = 512
- imgSrcboolean
  
  Specifies valid sources of images and favicons.
- originstring
  Required
  
  The origin that the CSP directives should be applied to.
  
  maxLength = 256
- fontSrcboolean
  
  Specifies valid sources for loading fonts.
- childSrcboolean
  
  Defines the valid sources for loading web workers and nested browsing contexts using elements such as frame and iFrame.
- frameSrcboolean
  
  Specifies valid sources for loading nested browsing contexts using elements such as frame and iFrame.
- mediaSrcboolean
  
  Specifies valid sources for loading media using the audio and video elements.
- styleSrcboolean
  
  Specifies valid sources for stylesheets.
- objectSrcboolean
  
  Specifies valid sources for the object, embed, and applet elements.
- scriptSrcboolean
  
  Specifies valid sources for JavaScript.
- workerSrcboolean
  
  Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.
- connectSrcboolean
  
  Restricts the URLs that can be loaded using script interfaces.
- formActionboolean
  
  Allow forms to be submitted to the origin.
- descriptionstring
  
  The reason for adding this origin to the Content Security Policy.
  
  maxLength = 1024
- connectSrcWSSboolean
  
  Restricts the URLs that can be connected to websockets (all sources will be prefixed with 'wss://').
- frameAncestorsboolean
  
  Specifies valid sources for embedding the resource using frame, iFrame, object, embed and applet.

Responses

201

application/json

OK Response

application/jsonobject
Show application/json properties
- namestring
  
  The name for this entry.
  
  maxLength = 512
- imgSrcboolean
  
  Specifies valid sources of images and favicons.
- originstring
  Required
  
  The origin that the CSP directives should be applied to.
  
  maxLength = 256
- fontSrcboolean
  
  Specifies valid sources for loading fonts.
- childSrcboolean
  
  Defines the valid sources for loading web workers and nested browsing contexts using elements such as frame and iFrame.
- frameSrcboolean
  
  Specifies valid sources for loading nested browsing contexts using elements such as frame and iFrame.
- mediaSrcboolean
  
  Specifies valid sources for loading media using the audio and video elements.
- styleSrcboolean
  
  Specifies valid sources for stylesheets.
- objectSrcboolean
  
  Specifies valid sources for the object, embed, and applet elements.
- scriptSrcboolean
  
  Specifies valid sources for JavaScript.
- workerSrcboolean
  
  Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.
- connectSrcboolean
  
  Restricts the URLs that can be loaded using script interfaces.
- formActionboolean
  
  Allow forms to be submitted to the origin.
- createdDatestring
  
  The UTC timestamp when the CSP entry was created.
  
  format = "date-time"
- descriptionstring
  
  The reason for adding this origin to the Content Security Policy.
  
  maxLength = 1024
- modifiedDatestring
  
  The UTC timestamp when the CSP entry was last modified.
  
  format = "date-time"
- connectSrcWSSboolean
  
  Restricts the URLs that can be connected to websockets (all sources will be prefixed with 'wss://').
- frameAncestorsboolean
  
  Specifies valid sources for embedding the resource using frame, iFrame, object, embed and applet.
- idstring
  
  The CSP entry's unique identifier.

400

application/json

Bad Request

application/jsonobject
Show application/json properties
- errorsarray of objects
  
  Show errors properties
  
  codestring
  Required
  
  The unique code for the error.
  
  titlestring
  Required
  
  A summary of what went wrong.
  
  detailstring
  
  May be used to provide additional details.

401

application/json

Unauthorized

application/jsonobject
Show application/json properties
- errorsarray of objects
  
  Show errors properties
  
  codestring
  Required
  
  The unique code for the error.
  
  titlestring
  Required
  
  A summary of what went wrong.
  
  detailstring
  
  May be used to provide additional details.

403

application/json

Forbidden

application/jsonobject
Show application/json properties
- errorsarray of objects
  
  Show errors properties
  
  codestring
  Required
  
  The unique code for the error.
  
  titlestring
  Required
  
  A summary of what went wrong.
  
  detailstring
  
  May be used to provide additional details.

500

application/json

Internal Server Error

application/jsonobject
Show application/json properties
- errorsarray of objects
  
  Show errors properties
  
  codestring
  Required
  
  The unique code for the error.
  
  titlestring
  Required
  
  A summary of what went wrong.
  
  detailstring
  
  May be used to provide additional details.

503

application/json

Service Unavailable

application/jsonobject
Show application/json properties
- errorsarray of objects
  
  Show errors properties
  
  codestring
  Required
  
  The unique code for the error.
  
  titlestring
  Required
  
  A summary of what went wrong.
  
  detailstring
  
  May be used to provide additional details.

POST /v1/csp-origins

curl "https://your-tenant.us.qlikcloud.com/api/v1/csp-origins" \
-X POST \
-H "Content-type: application/json" \
-H "Authorization: Bearer <access_token>" \
-d '{"name":"string","imgSrc":true,"origin":"string","fontSrc":true,"childSrc":true,"frameSrc":true,"mediaSrc":true,"styleSrc":true,"objectSrc":true,"scriptSrc":true,"workerSrc":true,"connectSrc":true,"formAction":true,"description":"string","connectSrcWSS":true,"frameAncestors":true}'

const https = require('https')
  const data = JSON.stringify({"name":"string","imgSrc":true,"origin":"string","fontSrc":true,"childSrc":true,"frameSrc":true,"mediaSrc":true,"styleSrc":true,"objectSrc":true,"scriptSrc":true,"workerSrc":true,"connectSrc":true,"formAction":true,"description":"string","connectSrcWSS":true,"frameAncestors":true})
  const options =   {
    'hostname': 'https://your-tenant.us.qlikcloud.com',
    'port': 443,
    'path': '/api/v1/csp-origins',
    'method': 'POST',
    'headers': {
      'Content-type': 'application/json',
      'Authorization': 'Bearer <access_token>'
    }
  }
  const req = https.request(options)
  req.write(data)

qlik csp-origin create \
--childSrc=true \
--connectSrc=true \
--connectSrcWSS=true \
--description="string" \
--fontSrc=true \
--formAction=true \
--frameAncestors=true \
--frameSrc=true \
--imgSrc=true \
--mediaSrc=true \
--name="string" \
--objectSrc=true \
--origin="string" \
--scriptSrc=true \
--styleSrc=true \
--workerSrc=true

Request

{
  "name": "string",
  "imgSrc": true,
  "origin": "string",
  "fontSrc": true,
  "childSrc": true,
  "frameSrc": true,
  "mediaSrc": true,
  "styleSrc": true,
  "objectSrc": true,
  "scriptSrc": true,
  "workerSrc": true,
  "connectSrc": true,
  "formAction": true,
  "description": "string",
  "connectSrcWSS": true,
  "frameAncestors": true
}

Response

{
  "name": "string",
  "imgSrc": true,
  "origin": "string",
  "fontSrc": true,
  "childSrc": true,
  "frameSrc": true,
  "mediaSrc": true,
  "styleSrc": true,
  "objectSrc": true,
  "scriptSrc": true,
  "workerSrc": true,
  "connectSrc": true,
  "formAction": true,
  "createdDate": "2018-10-30T07:06:22Z",
  "description": "string",
  "modifiedDate": "2018-10-30T07:06:22Z",
  "connectSrcWSS": true,
  "frameAncestors": true,
  "id": "string"
}

Returns details for a specific content security policy.

Facts

Rate limit	Tier 1 (1000 requests per minute)
Categories	embed

Path Parameters

idstring
Required

The CSP entry's unique identifier.

Responses

200

application/json

OK Response

application/jsonobject
Show application/json properties
- namestring
  
  The name for this entry.
  
  maxLength = 512
- imgSrcboolean
  
  Specifies valid sources of images and favicons.
- originstring
  Required
  
  The origin that the CSP directives should be applied to.
  
  maxLength = 256
- fontSrcboolean
  
  Specifies valid sources for loading fonts.
- childSrcboolean
  
  Defines the valid sources for loading web workers and nested browsing contexts using elements such as frame and iFrame.
- frameSrcboolean
  
  Specifies valid sources for loading nested browsing contexts using elements such as frame and iFrame.
- mediaSrcboolean
  
  Specifies valid sources for loading media using the audio and video elements.
- styleSrcboolean
  
  Specifies valid sources for stylesheets.
- objectSrcboolean
  
  Specifies valid sources for the object, embed, and applet elements.
- scriptSrcboolean
  
  Specifies valid sources for JavaScript.
- workerSrcboolean
  
  Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.
- connectSrcboolean
  
  Restricts the URLs that can be loaded using script interfaces.
- formActionboolean
  
  Allow forms to be submitted to the origin.
- createdDatestring
  
  The UTC timestamp when the CSP entry was created.
  
  format = "date-time"
- descriptionstring
  
  The reason for adding this origin to the Content Security Policy.
  
  maxLength = 1024
- modifiedDatestring
  
  The UTC timestamp when the CSP entry was last modified.
  
  format = "date-time"
- connectSrcWSSboolean
  
  Restricts the URLs that can be connected to websockets (all sources will be prefixed with 'wss://').
- frameAncestorsboolean
  
  Specifies valid sources for embedding the resource using frame, iFrame, object, embed and applet.
- idstring
  
  The CSP entry's unique identifier.

400

application/json

Bad Request

application/jsonobject
Show application/json properties
- errorsarray of objects
  
  Show errors properties
  
  codestring
  Required
  
  The unique code for the error.
  
  titlestring
  Required
  
  A summary of what went wrong.
  
  detailstring
  
  May be used to provide additional details.

401

application/json

Unauthorized

application/jsonobject
Show application/json properties
- errorsarray of objects
  
  Show errors properties
  
  codestring
  Required
  
  The unique code for the error.
  
  titlestring
  Required
  
  A summary of what went wrong.
  
  detailstring
  
  May be used to provide additional details.

403

application/json

Forbidden

application/jsonobject
Show application/json properties
- errorsarray of objects
  
  Show errors properties
  
  codestring
  Required
  
  The unique code for the error.
  
  titlestring
  Required
  
  A summary of what went wrong.
  
  detailstring
  
  May be used to provide additional details.

404

application/json

Not found

application/jsonobject
Show application/json properties
- errorsarray of objects
  
  Show errors properties
  
  codestring
  Required
  
  The unique code for the error.
  
  titlestring
  Required
  
  A summary of what went wrong.
  
  detailstring
  
  May be used to provide additional details.

500

application/json

Internal Server Error

application/jsonobject
Show application/json properties
- errorsarray of objects
  
  Show errors properties
  
  codestring
  Required
  
  The unique code for the error.
  
  titlestring
  Required
  
  A summary of what went wrong.
  
  detailstring
  
  May be used to provide additional details.

503

application/json

Service Unavailable

application/jsonobject
Show application/json properties
- errorsarray of objects
  
  Show errors properties
  
  codestring
  Required
  
  The unique code for the error.
  
  titlestring
  Required
  
  A summary of what went wrong.
  
  detailstring
  
  May be used to provide additional details.

GET /v1/csp-origins/{id}

curl "https://your-tenant.us.qlikcloud.com/api/v1/csp-origins/{id}" \
-H "Authorization: Bearer <access_token>"

const https = require('https')
  const data = JSON.stringify("")
  const options =   {
    'hostname': 'https://your-tenant.us.qlikcloud.com',
    'port': 443,
    'path': '/api/v1/csp-origins/{id}',
    'method': 'GET',
    'headers': {
      'Authorization': 'Bearer <access_token>'
    }
  }
  const req = https.request(options)

qlik csp-origin get <csp-originId>

Response

{
  "name": "string",
  "imgSrc": true,
  "origin": "string",
  "fontSrc": true,
  "childSrc": true,
  "frameSrc": true,
  "mediaSrc": true,
  "styleSrc": true,
  "objectSrc": true,
  "scriptSrc": true,
  "workerSrc": true,
  "connectSrc": true,
  "formAction": true,
  "createdDate": "2018-10-30T07:06:22Z",
  "description": "string",
  "modifiedDate": "2018-10-30T07:06:22Z",
  "connectSrcWSS": true,
  "frameAncestors": true,
  "id": "string"
}

Updates a content security policy.

Facts

Rate limit	Tier 2 (100 requests per minute)
Categories	embed

Path Parameters

idstring
Required

The CSP entry's unique identifier.

Request Body

Required

application/json

application/jsonobject
Show application/json properties
- namestring
  
  The name for this entry.
  
  maxLength = 512
- imgSrcboolean
  
  Specifies valid sources of images and favicons.
- originstring
  Required
  
  The origin that the CSP directives should be applied to.
  
  maxLength = 256
- fontSrcboolean
  
  Specifies valid sources for loading fonts.
- childSrcboolean
  
  Defines the valid sources for loading web workers and nested browsing contexts using elements such as frame and iFrame.
- frameSrcboolean
  
  Specifies valid sources for loading nested browsing contexts using elements such as frame and iFrame.
- mediaSrcboolean
  
  Specifies valid sources for loading media using the audio and video elements.
- styleSrcboolean
  
  Specifies valid sources for stylesheets.
- objectSrcboolean
  
  Specifies valid sources for the object, embed, and applet elements.
- scriptSrcboolean
  
  Specifies valid sources for JavaScript.
- workerSrcboolean
  
  Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.
- connectSrcboolean
  
  Restricts the URLs that can be loaded using script interfaces.
- formActionboolean
  
  Allow forms to be submitted to the origin.
- descriptionstring
  
  The reason for adding this origin to the Content Security Policy.
  
  maxLength = 1024
- connectSrcWSSboolean
  
  Restricts the URLs that can be connected to websockets (all sources will be prefixed with 'wss://').
- frameAncestorsboolean
  
  Specifies valid sources for embedding the resource using frame, iFrame, object, embed and applet.

Responses

200

application/json

OK Response

application/jsonobject
Show application/json properties
- namestring
  
  The name for this entry.
  
  maxLength = 512
- imgSrcboolean
  
  Specifies valid sources of images and favicons.
- originstring
  Required
  
  The origin that the CSP directives should be applied to.
  
  maxLength = 256
- fontSrcboolean
  
  Specifies valid sources for loading fonts.
- childSrcboolean
  
  Defines the valid sources for loading web workers and nested browsing contexts using elements such as frame and iFrame.
- frameSrcboolean
  
  Specifies valid sources for loading nested browsing contexts using elements such as frame and iFrame.
- mediaSrcboolean
  
  Specifies valid sources for loading media using the audio and video elements.
- styleSrcboolean
  
  Specifies valid sources for stylesheets.
- objectSrcboolean
  
  Specifies valid sources for the object, embed, and applet elements.
- scriptSrcboolean
  
  Specifies valid sources for JavaScript.
- workerSrcboolean
  
  Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.
- connectSrcboolean
  
  Restricts the URLs that can be loaded using script interfaces.
- formActionboolean
  
  Allow forms to be submitted to the origin.
- createdDatestring
  
  The UTC timestamp when the CSP entry was created.
  
  format = "date-time"
- descriptionstring
  
  The reason for adding this origin to the Content Security Policy.
  
  maxLength = 1024
- modifiedDatestring
  
  The UTC timestamp when the CSP entry was last modified.
  
  format = "date-time"
- connectSrcWSSboolean
  
  Restricts the URLs that can be connected to websockets (all sources will be prefixed with 'wss://').
- frameAncestorsboolean
  
  Specifies valid sources for embedding the resource using frame, iFrame, object, embed and applet.
- idstring
  
  The CSP entry's unique identifier.

400

application/json

Bad Request

application/jsonobject
Show application/json properties
- errorsarray of objects
  
  Show errors properties
  
  codestring
  Required
  
  The unique code for the error.
  
  titlestring
  Required
  
  A summary of what went wrong.
  
  detailstring
  
  May be used to provide additional details.

401

application/json

Unauthorized

application/jsonobject
Show application/json properties
- errorsarray of objects
  
  Show errors properties
  
  codestring
  Required
  
  The unique code for the error.
  
  titlestring
  Required
  
  A summary of what went wrong.
  
  detailstring
  
  May be used to provide additional details.

403

application/json

Forbidden

application/jsonobject
Show application/json properties
- errorsarray of objects
  
  Show errors properties
  
  codestring
  Required
  
  The unique code for the error.
  
  titlestring
  Required
  
  A summary of what went wrong.
  
  detailstring
  
  May be used to provide additional details.

404

application/json

Not found

application/jsonobject
Show application/json properties
- errorsarray of objects
  
  Show errors properties
  
  codestring
  Required
  
  The unique code for the error.
  
  titlestring
  Required
  
  A summary of what went wrong.
  
  detailstring
  
  May be used to provide additional details.

500

application/json

Internal Server Error

application/jsonobject
Show application/json properties
- errorsarray of objects
  
  Show errors properties
  
  codestring
  Required
  
  The unique code for the error.
  
  titlestring
  Required
  
  A summary of what went wrong.
  
  detailstring
  
  May be used to provide additional details.

503

application/json

Service Unavailable

application/jsonobject
Show application/json properties
- errorsarray of objects
  
  Show errors properties
  
  codestring
  Required
  
  The unique code for the error.
  
  titlestring
  Required
  
  A summary of what went wrong.
  
  detailstring
  
  May be used to provide additional details.

PUT /v1/csp-origins/{id}

curl "https://your-tenant.us.qlikcloud.com/api/v1/csp-origins/{id}" \
-X PUT \
-H "Content-type: application/json" \
-H "Authorization: Bearer <access_token>" \
-d '{"name":"string","imgSrc":true,"origin":"string","fontSrc":true,"childSrc":true,"frameSrc":true,"mediaSrc":true,"styleSrc":true,"objectSrc":true,"scriptSrc":true,"workerSrc":true,"connectSrc":true,"formAction":true,"description":"string","connectSrcWSS":true,"frameAncestors":true}'

const https = require('https')
  const data = JSON.stringify({"name":"string","imgSrc":true,"origin":"string","fontSrc":true,"childSrc":true,"frameSrc":true,"mediaSrc":true,"styleSrc":true,"objectSrc":true,"scriptSrc":true,"workerSrc":true,"connectSrc":true,"formAction":true,"description":"string","connectSrcWSS":true,"frameAncestors":true})
  const options =   {
    'hostname': 'https://your-tenant.us.qlikcloud.com',
    'port': 443,
    'path': '/api/v1/csp-origins/{id}',
    'method': 'PUT',
    'headers': {
      'Content-type': 'application/json',
      'Authorization': 'Bearer <access_token>'
    }
  }
  const req = https.request(options)
  req.write(data)

qlik csp-origin update <csp-originId> \
--childSrc=true \
--connectSrc=true \
--connectSrcWSS=true \
--description="string" \
--fontSrc=true \
--formAction=true \
--frameAncestors=true \
--frameSrc=true \
--imgSrc=true \
--mediaSrc=true \
--name="string" \
--objectSrc=true \
--origin="string" \
--scriptSrc=true \
--styleSrc=true \
--workerSrc=true

Request

{
  "name": "string",
  "imgSrc": true,
  "origin": "string",
  "fontSrc": true,
  "childSrc": true,
  "frameSrc": true,
  "mediaSrc": true,
  "styleSrc": true,
  "objectSrc": true,
  "scriptSrc": true,
  "workerSrc": true,
  "connectSrc": true,
  "formAction": true,
  "description": "string",
  "connectSrcWSS": true,
  "frameAncestors": true
}

Response

{
  "name": "string",
  "imgSrc": true,
  "origin": "string",
  "fontSrc": true,
  "childSrc": true,
  "frameSrc": true,
  "mediaSrc": true,
  "styleSrc": true,
  "objectSrc": true,
  "scriptSrc": true,
  "workerSrc": true,
  "connectSrc": true,
  "formAction": true,
  "createdDate": "2018-10-30T07:06:22Z",
  "description": "string",
  "modifiedDate": "2018-10-30T07:06:22Z",
  "connectSrcWSS": true,
  "frameAncestors": true,
  "id": "string"
}

Deletes a specific content security policy.

Facts

Rate limit	Tier 2 (100 requests per minute)
Categories	embed

Path Parameters

idstring
Required

The CSP entry's unique identifier.

Responses

204

No Content response.

400

application/json

Bad Request

application/jsonobject
Show application/json properties
- errorsarray of objects
  
  Show errors properties
  
  codestring
  Required
  
  The unique code for the error.
  
  titlestring
  Required
  
  A summary of what went wrong.
  
  detailstring
  
  May be used to provide additional details.

401

application/json

Unauthorized

application/jsonobject
Show application/json properties
- errorsarray of objects
  
  Show errors properties
  
  codestring
  Required
  
  The unique code for the error.
  
  titlestring
  Required
  
  A summary of what went wrong.
  
  detailstring
  
  May be used to provide additional details.

403

application/json

Forbidden

application/jsonobject
Show application/json properties
- errorsarray of objects
  
  Show errors properties
  
  codestring
  Required
  
  The unique code for the error.
  
  titlestring
  Required
  
  A summary of what went wrong.
  
  detailstring
  
  May be used to provide additional details.

404

application/json

Not found

application/jsonobject
Show application/json properties
- errorsarray of objects
  
  Show errors properties
  
  codestring
  Required
  
  The unique code for the error.
  
  titlestring
  Required
  
  A summary of what went wrong.
  
  detailstring
  
  May be used to provide additional details.

500

application/json

Internal Server Error

application/jsonobject
Show application/json properties
- errorsarray of objects
  
  Show errors properties
  
  codestring
  Required
  
  The unique code for the error.
  
  titlestring
  Required
  
  A summary of what went wrong.
  
  detailstring
  
  May be used to provide additional details.

503

application/json

Service Unavailable

application/jsonobject
Show application/json properties
- errorsarray of objects
  
  Show errors properties
  
  codestring
  Required
  
  The unique code for the error.
  
  titlestring
  Required
  
  A summary of what went wrong.
  
  detailstring
  
  May be used to provide additional details.

DELETE /v1/csp-origins/{id}

curl "https://your-tenant.us.qlikcloud.com/api/v1/csp-origins/{id}" \
-X DELETE \
-H "Authorization: Bearer <access_token>"

const https = require('https')
  const data = JSON.stringify("")
  const options =   {
    'hostname': 'https://your-tenant.us.qlikcloud.com',
    'port': 443,
    'path': '/api/v1/csp-origins/{id}',
    'method': 'DELETE',
    'headers': {
      'Authorization': 'Bearer <access_token>'
    }
  }
  const req = https.request(options)

qlik csp-origin rm <csp-originId>

Retrieves the full content security policy header (including all configured policies and origins) for the tenant.

Facts

Rate limit	Tier 1 (1000 requests per minute)
Categories	embed

Header Parameters

Acceptstring

The Accept request HTTP header indicates which content types, expressed as MIME types, the client is able to understand

Can be one of: "application/json""text/plain"

default = "application/json"

Responses

200

text/plain

OK Response

text/plainstring

200

application/json

OK Response

application/jsonobject
Show application/json properties
- Content-Security-Policystring
  
  The compiled CSP header.

401

application/json

Unauthorized

application/jsonobject
Show application/json properties
- errorsarray of objects
  
  Show errors properties
  
  codestring
  Required
  
  The unique code for the error.
  
  titlestring
  Required
  
  A summary of what went wrong.
  
  detailstring
  
  May be used to provide additional details.

406

application/json

Not Acceptable

application/jsonobject
Show application/json properties
- errorsarray of objects
  
  Show errors properties
  
  codestring
  Required
  
  The unique code for the error.
  
  titlestring
  Required
  
  A summary of what went wrong.
  
  detailstring
  
  May be used to provide additional details.

500

application/json

Internal Server Error

application/jsonobject
Show application/json properties
- errorsarray of objects
  
  Show errors properties
  
  codestring
  Required
  
  The unique code for the error.
  
  titlestring
  Required
  
  A summary of what went wrong.
  
  detailstring
  
  May be used to provide additional details.

503

application/json

Service Unavailable

application/jsonobject
Show application/json properties
- errorsarray of objects
  
  Show errors properties
  
  codestring
  Required
  
  The unique code for the error.
  
  titlestring
  Required
  
  A summary of what went wrong.
  
  detailstring
  
  May be used to provide additional details.

GET /v1/csp-origins/actions/generate-header

curl "https://your-tenant.us.qlikcloud.com/api/v1/csp-origins/actions/generate-header" \
-H "Authorization: Bearer <access_token>"

const https = require('https')
  const data = JSON.stringify("")
  const options =   {
    'hostname': 'https://your-tenant.us.qlikcloud.com',
    'port': 443,
    'path': '/api/v1/csp-origins/actions/generate-header',
    'method': 'GET',
    'headers': {
      'Authorization': 'Bearer <access_token>'
    }
  }
  const req = https.request(options)

qlik csp-origin generate-header

Response

"string"

CSP origins

Endpoints

List CSPs

Facts

Query Parameters

Responses

200

400

401

403

500

503

Response

Create a new CSP

Facts

Request Body

Responses

201

400

401

403

500

503

Request

Response

Get a CSP

Facts

Path Parameters

Responses

200

400

401

403

404

500

503

Response

Update a CSP

Facts

Path Parameters

Request Body

Responses

200

400

401

403

404

500

503

Request

Response

Delete a CSP

Facts

Path Parameters

Responses

204

400

401

403

404

500

503

Retrieve CSP header

Facts

Header Parameters

Responses

200

200

401

406

500

503

Response