The Content Delivery API and Preview API are fully available via SSL. You should request JSON data and assets through a secure transport.
Our client libraries enable SSL by default. Unless there is a reason to disable SSL you should leave it enabled to ensure maximum privacy for clients.
The Content Management API is only available via SSL, and you must make all requests using the https protocol.
Using SSL ensures that the content and access tokens of a space remain secure and that potential eavesdroppers cannot intercept your data.
*, or all.
Access-Control-Allow-Headers: A long list of common headers, if you want to know more, read the reference below.
Access-Control-Allow-Methods: HTTP verbs. Typically the request type, plus
Access-Control-Max-Age: This varies depending on endpoint, but is a high value to avoid preflight requests.
Note: Allowing all origins is safe because all requests must include an access token in the query string or as header. The token will never be sent implicitly by a cookie. You can only issue destructive requests against the HTTPS endpoint.
Our APIs support conditional
GET requests via ETag and
Every API response (both single resources and searches) includes an
ETag header. The
ETag header changes depending on the content of the response. If a resource is updated or a search result changes, the ETag also changes.
To avoid unnecessary transfers you can set the
If-None-Match header of an API request to the
ETag previously received for the same API request.
If the content hasn't changed in the meantime the API will respond with a 304 Not Modified response. This makes a difference for large responses and especially binary files.
All API endpoints support GZip compression to save bandwidth. Please take into account that enabling compression will put more load on your clients' processors.
Contentful sets the following headers: