Indicates to browsers that an API should only be accessed using HTTPS, instead of using HTTP.

Format: As defined by MDN

Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.

Format: As defined by MDN

Enables an API to communicate to a Browser-based API client (the origin server(s) allowed to communicate with it.)

*This header is used by browser-based API clients.

Format: As defined by MDN

Communicates to Browser-based clients how long (in seconds) the results of the request can be cached.

*This header is used by browser-based API clients.

Format: As defined by MDN

Code Connect APIs potentially consumable by Browser-based clients Enables cross-origin, Code Connect API invocation to be authenticated/authorized via the use of Cookies, Authorization headers, or Client (TLS) Certificates.

*This header is used by browser-based API clients.

Format: As defined by MDN

Used to assist in mitigating Cross-Site Scripting (XSS) attacks.

*This header is used by browser-based API clients. Format: As defined by MDN

Content-Security-Policy: script-src 'self' https://codeconnect.fisglobal.com

Used by the server to indicate that the MIME types advertised in the Content-Type headers should be followed and not modified.

*This header is used by browser-based API clients.

Format: As defined by MDN

Indicates whether a browser should render content in a <frame>, <iframe> or <object>.

*This header is used by browser-based API clients.

Format: As defined by MDN

X-Frame-Options: deny
X-Frame-Options: sameorigin
X-Frame-Options: allow-from https://codeconnect.fisglobal.com/

Used to communicate a hash of the Code Connect Server Certificate to help users mitigate the risk of Man-in-the-Middle attacks.

Users should verify the Server Certificate hash against a stored value shared separately from the response.

Format: As defined by MDN