CSP origins
CSP origins allows you to configure domains, or origins, that Qlik Sense client visualizations/extensions are allowed to communicate with.
Endpoints
Skip to section| GET | /v1/csp-origins |
| POST | /v1/csp-origins |
| GET | /v1/csp-origins/{id} |
| PUT | /v1/csp-origins/{id} |
| DELETE | /v1/csp-origins/{id} |
| GET | /v1/csp-origins/actions/generate-header |
Retrieves all CSP entries for a tenant
Facts GET /v1/csp-origins
Rate limit required | Tier 1 (1000 requests per minute) |
Query Parameters GET /v1/csp-origins
childSrc boolean | Filter resources by directive 'childSrc', true/false. |
connectSrc boolean | Filter resources by directive 'connectSrc', true/false. |
connectSrcWSS boolean | Filter resources by directive 'connectSrcWSS', true/false. |
fontSrc boolean | Filter resources by directive 'fontSrc', true/false. |
formAction boolean | Filter resources by directive 'formAction', true/false. |
frameAncestors boolean | Filter resources by directive 'frameAncestors', true/false. |
frameSrc boolean | Filter resources by directive 'frameSrc', true/false. |
imgSrc boolean | Filter resources by directive 'imgSrc', true/false. |
limit default=20, minimum=1, maximum=100 number | Maximum number of CSP-Origins to retrieve. |
mediaSrc boolean | Filter resources by directive 'mediaSrc', true/false. |
name string | Filter resources by name (wildcard and case insensitive). |
next string | Cursor to the next page. |
objectSrc boolean | Filter resources by directive 'objectSrc', true/false. |
origin string | Filter resources by origin (wildcard and case insensitive). |
prev string | Cursor to previous next page. |
scriptSrc boolean | Filter resources by directive 'scriptSrc', true/false. |
sort string | Field to sort by, prefix with -/+ to indicate order. Enum: name -name origin -origin createdDate -createdDate modifiedDate -modifiedDate |
styleSrc boolean | Filter resources by directive 'styleSrc', true/false. |
workerSrc boolean | Filter resources by directive 'workerSrc', true/false. |
Responses GET /v1/csp-origins
200 application/json | OK Response |
400 application/json | Bad Request |
401 application/json | Unauthorized |
403 application/json | Forbidden |
500 application/json | Internal Server Error |
503 application/json | Service Unavailable |
GET/v1/csp-origins
curl "https://your-tenant.us.qlikcloud.com/api/v1/csp-origins" \
-H "Authorization: Bearer <API-key>"Response GET /v1/csp-origins
{
"data": [
{
"id": "string",
"name": "string",
"imgSrc": true,
"origin": "string",
"fontSrc": true,
"childSrc": true,
"frameSrc": true,
"mediaSrc": true,
"styleSrc": true,
"objectSrc": true,
"scriptSrc": true,
"workerSrc": true,
"connectSrc": true,
"formAction": true,
"createdDate": "2023-09-19T16:48:56.740Z",
"description": "string",
"modifiedDate": "2023-09-19T16:48:56.740Z",
"connectSrcWSS": true,
"frameAncestors": true
}
],
"links": {
"next": {
"href": "string"
},
"prev": {
"href": "string"
},
"self": {
"href": "string"
}
}
}Creates a new CSP entry
Facts POST /v1/csp-origins
Rate limit required | Tier 2 (100 requests per minute) |
Request Body POST /v1/csp-origins
application/json | No description |
Responses POST /v1/csp-origins
201 application/json | OK Response |
400 application/json | Bad Request |
401 application/json | Unauthorized |
403 application/json | Forbidden |
500 application/json | Internal Server Error |
503 application/json | Service Unavailable |
POST/v1/csp-origins
curl "https://your-tenant.us.qlikcloud.com/api/v1/csp-origins" \
-X POST \
-H "Authorization: Bearer <API-key>" \
-H "Content-type: application/json" \
-d '{"name":"string","imgSrc":true,"origin":"string","fontSrc":true,"childSrc":true,"frameSrc":true,"mediaSrc":true,"styleSrc":true,"objectSrc":true,"scriptSrc":true,"workerSrc":true,"connectSrc":true,"formAction":true,"createdDate":"2023-09-19T16:48:56.740Z","description":"string","modifiedDate":"2023-09-19T16:48:56.740Z","connectSrcWSS":true,"frameAncestors":true}'Request POST /v1/csp-origins
{
"name": "string",
"imgSrc": true,
"origin": "string",
"fontSrc": true,
"childSrc": true,
"frameSrc": true,
"mediaSrc": true,
"styleSrc": true,
"objectSrc": true,
"scriptSrc": true,
"workerSrc": true,
"connectSrc": true,
"formAction": true,
"createdDate": "2023-09-19T16:48:56.740Z",
"description": "string",
"modifiedDate": "2023-09-19T16:48:56.740Z",
"connectSrcWSS": true,
"frameAncestors": true
}Response POST /v1/csp-origins
{
"id": "string",
"name": "string",
"imgSrc": true,
"origin": "string",
"fontSrc": true,
"childSrc": true,
"frameSrc": true,
"mediaSrc": true,
"styleSrc": true,
"objectSrc": true,
"scriptSrc": true,
"workerSrc": true,
"connectSrc": true,
"formAction": true,
"createdDate": "2023-09-19T16:48:56.740Z",
"description": "string",
"modifiedDate": "2023-09-19T16:48:56.740Z",
"connectSrcWSS": true,
"frameAncestors": true
}Returns details for a specific CSP entry
Facts GET /v1/csp-origins/{id}
Rate limit required | Tier 1 (1000 requests per minute) |
Path Parameters GET /v1/csp-origins/{id}
id required string | The CSP entry's unique identifier. |
Responses GET /v1/csp-origins/{id}
200 application/json | OK Response |
400 application/json | Bad Request |
401 application/json | Unauthorized |
403 application/json | Forbidden |
404 application/json | Not found |
500 application/json | Internal Server Error |
503 application/json | Service Unavailable |
GET/v1/csp-origins/{id}
curl "https://your-tenant.us.qlikcloud.com/api/v1/csp-origins/{id}" \
-H "Authorization: Bearer <API-key>"Response GET /v1/csp-origins/{id}
{
"id": "string",
"name": "string",
"imgSrc": true,
"origin": "string",
"fontSrc": true,
"childSrc": true,
"frameSrc": true,
"mediaSrc": true,
"styleSrc": true,
"objectSrc": true,
"scriptSrc": true,
"workerSrc": true,
"connectSrc": true,
"formAction": true,
"createdDate": "2023-09-19T16:48:56.740Z",
"description": "string",
"modifiedDate": "2023-09-19T16:48:56.740Z",
"connectSrcWSS": true,
"frameAncestors": true
}Updates a CSP entry
Facts PUT /v1/csp-origins/{id}
Rate limit required | Tier 2 (100 requests per minute) |
Path Parameters PUT /v1/csp-origins/{id}
id required string | The CSP entry's unique identifier. |
Request Body PUT /v1/csp-origins/{id}
application/json | No description |
Responses PUT /v1/csp-origins/{id}
200 application/json | OK Response |
400 application/json | Bad Request |
401 application/json | Unauthorized |
403 application/json | Forbidden |
404 application/json | Not found |
500 application/json | Internal Server Error |
503 application/json | Service Unavailable |
PUT/v1/csp-origins/{id}
curl "https://your-tenant.us.qlikcloud.com/api/v1/csp-origins/{id}" \
-X PUT \
-H "Authorization: Bearer <API-key>" \
-H "Content-type: application/json" \
-d '{"name":"string","imgSrc":true,"origin":"string","fontSrc":true,"childSrc":true,"frameSrc":true,"mediaSrc":true,"styleSrc":true,"objectSrc":true,"scriptSrc":true,"workerSrc":true,"connectSrc":true,"formAction":true,"createdDate":"2023-09-19T16:48:56.740Z","description":"string","modifiedDate":"2023-09-19T16:48:56.740Z","connectSrcWSS":true,"frameAncestors":true}'Request PUT /v1/csp-origins/{id}
{
"name": "string",
"imgSrc": true,
"origin": "string",
"fontSrc": true,
"childSrc": true,
"frameSrc": true,
"mediaSrc": true,
"styleSrc": true,
"objectSrc": true,
"scriptSrc": true,
"workerSrc": true,
"connectSrc": true,
"formAction": true,
"createdDate": "2023-09-19T16:48:56.740Z",
"description": "string",
"modifiedDate": "2023-09-19T16:48:56.740Z",
"connectSrcWSS": true,
"frameAncestors": true
}Response PUT /v1/csp-origins/{id}
{
"id": "string",
"name": "string",
"imgSrc": true,
"origin": "string",
"fontSrc": true,
"childSrc": true,
"frameSrc": true,
"mediaSrc": true,
"styleSrc": true,
"objectSrc": true,
"scriptSrc": true,
"workerSrc": true,
"connectSrc": true,
"formAction": true,
"createdDate": "2023-09-19T16:48:56.740Z",
"description": "string",
"modifiedDate": "2023-09-19T16:48:56.740Z",
"connectSrcWSS": true,
"frameAncestors": true
}Deletes a specific CSP entry
Facts DELETE /v1/csp-origins/{id}
Rate limit required | Tier 2 (100 requests per minute) |
Path Parameters DELETE /v1/csp-origins/{id}
id required string | The CSP entry's unique identifier. |
Responses DELETE /v1/csp-origins/{id}
204 object | No Content response. |
400 application/json | Bad Request |
401 application/json | Unauthorized |
403 application/json | Forbidden |
404 application/json | Not found |
500 application/json | Internal Server Error |
503 application/json | Service Unavailable |
DELETE/v1/csp-origins/{id}
curl "https://your-tenant.us.qlikcloud.com/api/v1/csp-origins/{id}" \
-X DELETE \
-H "Authorization: Bearer <API-key>"Retrieves the CSP header for a tenant
Facts GET /v1/csp-origins/actions/generate-header
Rate limit required | Tier 1 (1000 requests per minute) |
Responses GET /v1/csp-origins/actions/generate-header
200 application/json | OK Response |
401 application/json | Unauthorized |
406 application/json | Not Acceptable |
500 application/json | Internal Server Error |
503 application/json | Service Unavailable |
GET/v1/csp-origins/actions/generate-header
curl "https://your-tenant.us.qlikcloud.com/api/v1/csp-origins/actions/generate-header" \
-H "Authorization: Bearer <API-key>"Response GET /v1/csp-origins/actions/generate-header
{
"Content-Security-Policy": "string"
}CSPEntry
objectProperties
id string | The CSP entry's unique identifier. |
name string | The name for this entry. |
imgSrc boolean | Specifies valid sources of images and favicons. |
origin string | The origin that the CSP directives should be applied to. |
fontSrc boolean | Specifies valid sources for loading fonts. |
childSrc boolean | Defines the valid sources for loading web workers and nested browsing contexts using elements such as frame and iFrame. |
frameSrc boolean | Specifies valid sources for loading nested browsing contexts using elements such as frame and iFrame. |
mediaSrc boolean | Specifies valid sources for loading media using the audio and video elements. |
styleSrc boolean | Specifies valid sources for stylesheets. |
objectSrc boolean | Specifies valid sources for the object, embed, and applet elements. |
scriptSrc boolean | Specifies valid sources for JavaScript. |
workerSrc boolean | Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts. |
connectSrc boolean | Restricts the URLs that can be loaded using script interfaces. |
formAction boolean | Allow forms to be submitted to the origin. |
createdDate string<date-time> | The UTC timestamp when the CSP entry was created. |
description string | The reason for adding this origin to the Content Security Policy. |
modifiedDate string<date-time> | The UTC timestamp when the CSP entry was last modified. |
connectSrcWSS boolean | Restricts the URLs that can be connected to websockets (all sources will be prefixed with 'wss://'). |
frameAncestors boolean | Specifies valid sources for embedding the resource using frame, iFrame, object, embed and applet. |
CSPEntryContent
objectProperties
name string | The name for this entry. |
imgSrc boolean | Specifies valid sources of images and favicons. |
origin required string | The origin that the CSP directives should be applied to. |
fontSrc boolean | Specifies valid sources for loading fonts. |
childSrc boolean | Defines the valid sources for loading web workers and nested browsing contexts using elements such as frame and iFrame. |
frameSrc boolean | Specifies valid sources for loading nested browsing contexts using elements such as frame and iFrame. |
mediaSrc boolean | Specifies valid sources for loading media using the audio and video elements. |
styleSrc boolean | Specifies valid sources for stylesheets. |
objectSrc boolean | Specifies valid sources for the object, embed, and applet elements. |
scriptSrc boolean | Specifies valid sources for JavaScript. |
workerSrc boolean | Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts. |
connectSrc boolean | Restricts the URLs that can be loaded using script interfaces. |
formAction boolean | Allow forms to be submitted to the origin. |
createdDate string<date-time> | The UTC timestamp when the CSP entry was created. |
description string | The reason for adding this origin to the Content Security Policy. |
modifiedDate string<date-time> | The UTC timestamp when the CSP entry was last modified. |
connectSrcWSS boolean | Restricts the URLs that can be connected to websockets (all sources will be prefixed with 'wss://'). |
frameAncestors boolean | Specifies valid sources for embedding the resource using frame, iFrame, object, embed and applet. |
CSPEntryList
objectProperties
data | No description |
links | No description |
CSPHeader
objectProperties
Content-Security-Policy string | The compiled CSP header. |
Error
objectProperties
code required string | The unique code for the error. |
title required string | A summary of what went wrong. |
detail string | May be used to provide additional details. |
ErrorResponse
objectProperties
errors | No description |
Link
objectProperties
href required string | URL to a resource request. |
