HTTP response headers

HTTP response headers let clients and servers pass additional information with an HTTP request or response. In Collibra, you can configure the HTTP response headers to improve security against a wide range of threats, such as Cross-Site-Scripting (XSS), UI redressing (clickjacking), MIME type sniffing and other types of attacks.

Configuration of HTTP response headers and scopes

HTTP response headers are configured in scopes, which consist of a URL pattern and one or more HTTP response headers. On each request, Collibra checks the URL and uses the HTTP response headers of all matching URL patterns.

The tables below shows the out-of-the-box HTTP response headers and their URL patterns. You can also edit the HTTP response headers.Contact Collibra Support to change the HTTP response headers.

Collibra Platform

URL pattern	HTTP response header
URL pattern	Name	Value
`/**`	`Content-Security-Policy`	default-src 'none'; connect-src * 'self' https://www.google-analytics.com https://stats.g.doubleclick.net https://app.pendo.io; font-src * 'self' data: https://fonts.gstatic.com; frame-ancestors 'self'; frame-src * 'self' mailto: tel:; img-src * 'self' blob: data: https://www.google-analytics.com https://www.google.com https://app.pendo.io https://cdn.pendo.io https://pendo-static-5002465686061056.storage.googleapis.com; script-src * 'self' blob: https://www.google-analytics.com https://app.pendo.io https://cdn.pendo.io https://pendo-io-static.storage.googleapis.com https://pendo-static-5002465686061056.storage.googleapis.com 'unsafe-eval' 'unsafe-inline'; style-src * 'self' https://fonts.googleapis.com https://cdn.pendo.io https://pendo-static-5002465686061056.storage.googleapis.com 'unsafe-inline'
	`Referrer-Policy`	`no-referrer`
	`Strict-Transport-Security`	`max-age=63072000; includeSubDomains`
	`X-Content-Type-Options`	`nosniff`
	`X-Frame-Options`	`SAMEORIGIN`
	`X-XSS-Protection`	`1; mode=block`
`/rest/**`	`X-Frame-Options`	`default-src 'none'; frame-ancestors 'none'`
`/rest/**`	`Content-Security-Policy`	`DENY`
`/rest/catalog/1.0/internal/technicalLineage/iframe/**`	`X-Frame-Options`	`SAMEORIGIN`
`/rest/catalog/1.0/internal/technicalLineage/iframe/**`	`Content-Security-Policy`	`default-src 'none'; connect-src 'self'; font-src 'self' https://fonts.gstatic.com; frame-ancestors 'self'; frame-src 'self'; img-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' https://fonts.googleapis.com 'unsafe-inline'`
`/graphql`	`X-Frame-Options`	`DENY`
`/graphql`	`Content-Security-Policy`	`default-src 'none'; frame-ancestors 'none'`
`/graphql/batch`	`X-Frame-Options`	`DENY`
`/graphql/batch`	`Content-Security-Policy`	`default-src 'none'; frame-ancestors 'none'`

URL pattern	HTTP response header
URL pattern	Name	Value
`/**`	`Content-Security-Policy`	default-src 'none'; connect-src * 'self' https://www.google-analytics.com https://stats.g.doubleclick.net https://app.pendo.io; font-src * 'self' data: https://fonts.gstatic.com; frame-ancestors 'self'; frame-src * 'self' mailto: tel:; img-src * 'self' blob: data: https://www.google-analytics.com https://www.google.com https://app.pendo.io https://cdn.pendo.io https://pendo-static-5002465686061056.storage.googleapis.com; script-src * 'self' blob: https://www.google-analytics.com https://app.pendo.io https://cdn.pendo.io https://pendo-io-static.storage.googleapis.com https://pendo-static-5002465686061056.storage.googleapis.com 'unsafe-eval' 'unsafe-inline'; style-src * 'self' https://fonts.googleapis.com https://cdn.pendo.io https://pendo-static-5002465686061056.storage.googleapis.com 'unsafe-inline'
	`Referrer-Policy`	`no-referrer-when-downgrade`
	`Strict-Transport-Security`	`max-age=63072000; includeSubDomains`
	`X-Content-Type-Options`	`nosniff`
	`X-Frame-Options`	`SAMEORIGIN`
	`X-XSS-Protection`	`1; mode=block`
`/rest/**`	`X-Frame-Options`	`default-src 'none'; frame-ancestors 'none'`
`/rest/**`	`Content-Security-Policy`	`DENY`
`/rest/catalog/1.0/internal/technicalLineage/iframe/**`	`X-Frame-Options`	`SAMEORIGIN`
`/rest/catalog/1.0/internal/technicalLineage/iframe/**`	`Content-Security-Policy`	`default-src 'none'; connect-src 'self'; font-src 'self' https://fonts.gstatic.com; frame-ancestors 'self'; frame-src 'self'; img-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' https://fonts.googleapis.com 'unsafe-inline'`
`/graphql`	`X-Frame-Options`	`DENY`
`/graphql`	`Content-Security-Policy`	`default-src 'none'; frame-ancestors 'none'`
`/graphql/batch`	`X-Frame-Options`	`DENY`
`/graphql/batch`	`Content-Security-Policy`	`default-src 'none'; frame-ancestors 'none'`

URL pattern	HTTP response header
URL pattern	Name	Value
`/**`	`Content-Security-Policy`	default-src 'none'; connect-src * 'self' https://www.google-analytics.com https://stats.g.doubleclick.net https://app.pendo.io; font-src * 'self' data: https://fonts.gstatic.com; frame-ancestors 'self'; frame-src * 'self' mailto: tel:; img-src * 'self' blob: data: https://www.google-analytics.com https://www.google.com https://app.pendo.io https://cdn.pendo.io https://pendo-static-5002465686061056.storage.googleapis.com; script-src * 'self' blob: https://www.google-analytics.com https://app.pendo.io https://cdn.pendo.io https://pendo-io-static.storage.googleapis.com https://pendo-static-5002465686061056.storage.googleapis.com 'unsafe-eval' 'unsafe-inline'; style-src * 'self' https://fonts.googleapis.com https://cdn.pendo.io https://pendo-static-5002465686061056.storage.googleapis.com 'unsafe-inline'
	`Referrer-Policy`	`no-referrer-when-downgrade`
	`Strict-Transport-Security`	`max-age=63072000; includeSubDomains`
	`X-Content-Type-Options`	`nosniff`
	`X-Frame-Options`	`SAMEORIGIN`
	`X-XSS-Protection`	`1; mode=block`
`/rest/**`	`X-Frame-Options`	`default-src 'none'; frame-ancestors 'none'`
`/rest/**`	`Content-Security-Policy`	`DENY`
`/rest/catalog/1.0/internal/technicalLineage/iframe/**`	`X-Frame-Options`	`SAMEORIGIN`
`/rest/catalog/1.0/internal/technicalLineage/iframe/**`	`Content-Security-Policy`	`default-src 'none'; connect-src 'self'; font-src 'self' https://fonts.gstatic.com; frame-ancestors 'self'; frame-src 'self'; img-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' https://fonts.googleapis.com 'unsafe-inline'`
`/graphql`	`X-Frame-Options`	`DENY`
`/graphql`	`Content-Security-Policy`	`default-src 'none'; frame-ancestors 'none'`

URL pattern	HTTP response header
URL pattern	Name	Value
`/**`	`Content-Security-Policy`	default-src 'none'; connect-src * 'self' https://www.google-analytics.com https://stats.g.doubleclick.net https://app.pendo.io; font-src * 'self'; frame-ancestors 'self'; frame-src * 'self' mailto: tel:; img-src * 'self' https://www.google-analytics.com https://www.google.com https://app.pendo.io https://cdn.pendo.io https://pendo-static-5002465686061056.storage.googleapis.com; script-src * 'self' https://www.google-analytics.com https://app.pendo.io https://cdn.pendo.io https://pendo-io-static.storage.googleapis.com https://pendo-static-5002465686061056.storage.googleapis.com 'unsafe-eval' 'unsafe-inline'; style-src * 'self' https://cdn.pendo.io https://pendo-static-5002465686061056.storage.googleapis.com 'unsafe-inline'
	`Referrer-Policy`	`no-referrer-when-downgrade`
	`Strict-Transport-Security`	`max-age=63072000; includeSubDomains`
	`X-Content-Type-Options`	`nosniff`
	`X-Frame-Options`	`SAMEORIGIN`
	`X-XSS-Protection`	`1; mode=block`
`/rest/**`	`X-Frame-Options`	`default-src 'none'; frame-ancestors 'none'`
`/rest/**`	`Content-Security-Policy`	`DENY`
`/rest/catalog/1.0/internal/technicalLineage/iframe/**`	`X-Frame-Options`	`SAMEORIGIN`
`/rest/catalog/1.0/internal/technicalLineage/iframe/**`	`Content-Security-Policy`	`default-src 'none'; connect-src 'self'; font-src 'self' https://fonts.gstatic.com; frame-ancestors 'self'; frame-src 'self'; img-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' https://fonts.googleapis.com 'unsafe-inline'`
`/graphql`	`X-Frame-Options`	`DENY`
`/graphql`	`Content-Security-Policy`	`default-src 'none'; frame-ancestors 'none'`

Collibra Console

URL pattern	HTTP response header
URL pattern	Name	Value
`/**`	`Content-Security-Policy`	`default-src 'none'; connect-src * 'self' https://www.google-analytics.com; font-src * 'self' data: https://fonts.gstatic.com; frame-ancestors 'self'; frame-src * 'self' mailto: tel:; img-src * 'self' blob: data: https://www.google-analytics.com https://www.google.com; script-src * 'self' 'unsafe-eval' 'unsafe-inline'; style-src * 'self' 'unsafe-inline'`
	`Referrer-Policy`	`no-referrer`
	`Strict-Transport-Security`	`max-age=63072000; includeSubDomains`
	`X-Content-Type-Options`	`nosniff`
	`X-Frame-Options`	`SAMEORIGIN`
	`X-XSS-Protection`	`1; mode=block`
`/rest/**`	`X-Frame-Options`	`default-src 'none'; frame-ancestors 'none'`
`/rest/**`	`Content-Security-Policy`	`DENY`
`/graphql`	`X-Frame-Options`	`DENY`
`/graphql`	`Content-Security-Policy`	`default-src 'none'; frame-ancestors 'none'`

URL pattern	HTTP response header
URL pattern	Name	Value
`/**`	`Content-Security-Policy`	`default-src 'none'; connect-src * 'self' https://www.google-analytics.com; font-src * 'self' data: https://fonts.gstatic.com; frame-ancestors 'self'; frame-src * 'self' mailto: tel:; img-src * 'self' blob: data: https://www.google-analytics.com https://www.google.com; script-src * 'self' 'unsafe-eval' 'unsafe-inline'; style-src * 'self' 'unsafe-inline'`
	`Referrer-Policy`	`no-referrer-when-downgrade`
	`Strict-Transport-Security`	`max-age=63072000; includeSubDomains`
	`X-Content-Type-Options`	`nosniff`
	`X-Frame-Options`	`SAMEORIGIN`
	`X-XSS-Protection`	`1; mode=block`
`/rest/**`	`X-Frame-Options`	`default-src 'none'; frame-ancestors 'none'`
`/rest/**`	`Content-Security-Policy`	`DENY`
`/graphql`	`X-Frame-Options`	`DENY`
`/graphql`	`Content-Security-Policy`	`default-src 'none'; frame-ancestors 'none'`

Whitelists

Whitelists contain the list of trusted web domains to allow safe client-side integrations. Similar to explicit web domains, you can use references to whitelists in HTTP response headers to ignore the HTTP response headers for trusted web domains.

If you have the required permissions, you can edit the whitelists of the HTTP response headers.

Recommended use

You can include web domains and references to whitelists in the HTTP response headers. Collibra will then ignore the HTTP response headers for all web domains mentioned explicitly and in the whitelists.

However, you need the SUPER role in Collibra Console to edit the HTTP response headers, which allows you to edit the entire HTTP response header, and much more. You only need the ADMIN role to edit the whitelists. This means that you cannot edit the HTTP response header themselves. Therefore, working with whitelists is considered to be safer.

Whitelist name	Placeholder to use in the HTTP response header
connect-src	{connectSrcWl}
font-src	{fontSrcWl}
frame-src	{frameSrcWl}
img-src	{imgSrcWl}
script-src	{scriptSrcWl}
style-src	{styleSrcWl}
frame-ancestors	{frameAncestorsWl}
Tableau frame-ancestors	{tableauFrameAncestorsWl}

Web domain format and wildcards

Each whitelist can contain any number of web domains. You can also use the asterisk (*) as a wildcard to match a broader range of web domains.

Format	Description
<protocol><subdomain>.<second-level domain>.<top-level domain>	Match a specific protocol and a specific web domain. Example Web domain: `https://store.example.com` Matches: Calls to `store.example.com` using `https:`.
<protocol>*.<second-level domain>.<top-level domain>	Match a specific protocol and all subdomains of a web domain. Example Web domain: `http://*.example.com` Matches: Calls to any subdomain of `example.com` using `http:`.
*.<second-level domain>.<top-level domain>	Match all subdomains of a web domain, with the current protocol. Example Web domain:`*.example.com` Matches: Calls to any subdomain of`example.com`using the current protocol.
<subdomain>.<second-level domain>.<top-level domain>:*	Match all ports of a specific web domain. Example Web domain: `www.example.com:*` Matches: Calls to any port on `www.example.com`.
<subdomain>.<second-level domain>.<top-level domain>:<port>	Match a specific port of a specific web domain. Example Web domain: `mail.example.com:443` Matches: Calls to port `443` on `mail.example.com`.