HTTP response headers

HTTP response headers let clients and servers pass additional information with an HTTP request or response. InCollibra, you can configure the HTTP response headers to improve security against a wide range of threats, such as Cross-Site-Scripting (XSS), UI redressing (clickjacking), MIME type sniffing and other types of attacks.

Configuration of HTTP response headers and scopes

HTTP response headers are configured in scopes, which consist of a URL pattern and one or more HTTP response headers. On each request,Collibrachecks the URL and uses the HTTP response headers of all matching URL patterns.

The tables below shows the packaged HTTP response headers and their URL patterns.Contact Collibra support to change the HTTP response headers.

Collibra Data Governance Center

2021.06 onwards
2021.05

URL pattern	HTTP response header
URL pattern	Name	Value
`/**`	`Content-Security-Policy`	default-src 'none'; connect-src * 'self' https://www.google-analytics.com https://stats.g.doubleclick.net https://app.pendo.io; font-src * 'self' data: https://fonts.gstatic.com; frame-ancestors 'self'; frame-src * 'self' mailto: tel:; img-src * 'self' blob: data: https://www.google-analytics.com https://www.google.com https://app.pendo.io https://cdn.pendo.io https://pendo-static-5002465686061056.storage.googleapis.com; script-src * 'self' blob: https://www.google-analytics.com https://app.pendo.io https://cdn.pendo.io https://pendo-io-static.storage.googleapis.com https://pendo-static-5002465686061056.storage.googleapis.com 'unsafe-eval' 'unsafe-inline'; style-src * 'self' https://fonts.googleapis.com https://cdn.pendo.io https://pendo-static-5002465686061056.storage.googleapis.com 'unsafe-inline'
	`Referrer-Policy`	`no-referrer-when-downgrade`
	`Strict-Transport-Security`	`max-age=63072000; includeSubDomains`
	`X-Content-Type-Options`	`nosniff`
	`X-Frame-Options`	`SAMEORIGIN`
	`X-XSS-Protection`	`1; mode=block`
`/rest/**`	`X-Frame-Options`	`default-src 'none'; frame-ancestors 'none'`
`/rest/**`	`Content-Security-Policy`	`DENY`
`/rest/catalog/1.0/internal/technicalLineage/iframe/**`	`X-Frame-Options`	`SAMEORIGIN`
`/rest/catalog/1.0/internal/technicalLineage/iframe/**`	`Content-Security-Policy`	`default-src 'none'; connect-src 'self'; font-src 'self' https://fonts.gstatic.com; frame-ancestors 'self'; frame-src 'self'; img-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' https://fonts.googleapis.com 'unsafe-inline'`
`/graphql`	`X-Frame-Options`	`DENY`
`/graphql`	`Content-Security-Policy`	`default-src 'none'; frame-ancestors 'none'`

URL pattern	HTTP response header
URL pattern	Name	Value
`/**`	`Content-Security-Policy`	default-src 'none'; connect-src * 'self' https://www.google-analytics.com https://stats.g.doubleclick.net https://app.pendo.io; font-src * 'self'; frame-ancestors 'self'; frame-src * 'self' mailto: tel:; img-src * 'self' https://www.google-analytics.com https://www.google.com https://app.pendo.io https://cdn.pendo.io https://pendo-static-5002465686061056.storage.googleapis.com; script-src * 'self' https://www.google-analytics.com https://app.pendo.io https://cdn.pendo.io https://pendo-io-static.storage.googleapis.com https://pendo-static-5002465686061056.storage.googleapis.com 'unsafe-eval' 'unsafe-inline'; style-src * 'self' https://cdn.pendo.io https://pendo-static-5002465686061056.storage.googleapis.com 'unsafe-inline'
	`Referrer-Policy`	`no-referrer-when-downgrade`
	`Strict-Transport-Security`	`max-age=63072000; includeSubDomains`
	`X-Content-Type-Options`	`nosniff`
	`X-Frame-Options`	`SAMEORIGIN`
	`X-XSS-Protection`	`1; mode=block`
`/rest/**`	`X-Frame-Options`	`default-src 'none'; frame-ancestors 'none'`
`/rest/**`	`Content-Security-Policy`	`DENY`
`/rest/catalog/1.0/internal/technicalLineage/iframe/**`	`X-Frame-Options`	`SAMEORIGIN`
`/rest/catalog/1.0/internal/technicalLineage/iframe/**`	`Content-Security-Policy`	`default-src 'none'; connect-src 'self'; font-src 'self' https://fonts.gstatic.com; frame-ancestors 'self'; frame-src 'self'; img-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' https://fonts.googleapis.com 'unsafe-inline'`
`/graphql`	`X-Frame-Options`	`DENY`
`/graphql`	`Content-Security-Policy`	`default-src 'none'; frame-ancestors 'none'`

Collibra Console

URL pattern	HTTP response header
URL pattern	Name	Value
`/**`	`Content-Security-Policy`	`default-src 'none'; connect-src * 'self' https://www.google-analytics.com; font-src * 'self' data: https://fonts.gstatic.com; frame-ancestors 'self'; frame-src * 'self' mailto: tel:; img-src * 'self' blob: data: https://www.google-analytics.com https://www.google.com; script-src * 'self' 'unsafe-eval' 'unsafe-inline'; style-src * 'self' 'unsafe-inline'`
	`Referrer-Policy`	`no-referrer-when-downgrade`
	`Strict-Transport-Security`	`max-age=63072000; includeSubDomains`
	`X-Content-Type-Options`	`nosniff`
	`X-Frame-Options`	`SAMEORIGIN`
	`X-XSS-Protection`	`1; mode=block`
`/rest/**`	`X-Frame-Options`	`default-src 'none'; frame-ancestors 'none'`
`/rest/**`	`Content-Security-Policy`	`DENY`
`/rest/catalog/1.0/internal/technicalLineage/iframe/**`	`X-Frame-Options`	`SAMEORIGIN`
`/rest/catalog/1.0/internal/technicalLineage/iframe/**`	`Content-Security-Policy`	`default-src 'none'; connect-src 'self'; font-src 'self' https://fonts.gstatic.com; frame-ancestors 'self'; frame-src 'self'; img-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' https://fonts.googleapis.com 'unsafe-inline'`
`/graphql`	`X-Frame-Options`	`DENY`
`/graphql`	`Content-Security-Policy`	`default-src 'none'; frame-ancestors 'none'`

Whitelists

Whitelists contain the list of trusted web domains to allow safe client-side integrations. Similar to explicit web domains, you can use references to whitelists in HTTP response headers to ignore the HTTP response headers for trusted web domains.

If you have the required permissions, you canedit the whitelists of the HTTP response headers.

HTTP response headers

Configuration of HTTP response headers and scopes

Collibra Data Governance Center

Collibra Console

Whitelists

Further reading