For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Dev Portal
DocsAPI ReferenceLearnCommunityChangelog
DocsAPI ReferenceLearnCommunityChangelog
    • About Our APIs
  • REST
    • Overview
      • Overview
        • Abandoned Carts
        • Carts
        • Channels
        • Checkouts
        • Currencies
        • Customer Segmentation
        • Geography
        • Infrastructure Hosting
        • Inventory
        • Orders
        • Order Operations
        • Pickup
        • Pickup Methods
        • Pickup Options
        • Pricing
        • Price Lists
        • Promotions
        • Promotion Settings
        • Redirects
        • Scripts
        • Settings
              • GETGet Storefront Security Settings
              • PUTUpdate Storefront Security Settings
        • Shipping
        • Sites
        • Subscribers
        • System Logs
        • Tax
        • Wishlists
      • Payments
  • GraphQL
    • Overview
  • MCP
    • Overview
Dev Portal
LogoLogo
RESTAdminManagementSettingsStorefront Security

Update Storefront Security Settings

PUT
https://api.bigcommerce.com/stores/:store_hash/v3/settings/storefront/security
PUT
/stores/:store_hash/v3/settings/storefront/security
$curl -X PUT https://api.bigcommerce.com/stores/store_hash/v3/settings/storefront/security \
>     -H "Accept: application/json" \
>     -H "X-Auth-Token: <apiKey>" \
>     -H "Content-Type: application/json" \
>     -d '{}'
200Updated
1{
2  "data": {
3    "csp_header": {
4      "enabled": true,
5      "header_value": "default-src 'self'; script-src 'self' https://cdn.example.com"
6    },
7    "hsts": {
8      "enabled": true,
9      "include_preload": true,
10      "include_subdomains": true,
11      "max_age": "one_year"
12    },
13    "sitewide_https_enabled": true,
14    "x_frame_options_header": {
15      "allowed_url": "https://trustedpartner.example.com",
16      "enabled": true,
17      "setting": "deny"
18    }
19  },
20  "meta": {}
21}
Updates security settings. - Channel ID can be used as a query parameter for updating channel-specific settings. If omitted, you will interact with the global settings only. - `null` should be supplied to delete overrides per given channel and to inherit values from global level. Partial updates are not supported and all settings should be supplied with `null` value in order to delete overrides per channel.
Was this page helpful?
Previous

Get Storefront Security Settings

Next

Get Storefront SEO Settings

Built with

Updates security settings.

  • Channel ID can be used as a query parameter for updating channel-specific settings. If omitted, you will interact with the global settings only.

  • null should be supplied to delete overrides per given channel and to inherit values from global level. Partial updates are not supported and all settings should be supplied with null value in order to delete overrides per channel.

Authentication

X-Auth-Tokenstring
### OAuth scopes | UI Name | Permission | Parameter | |:--------|:-----------|:----------| | Information & Settings | modify | `store_v2_information` | | Information & Settings | read-only | `store_v2_information_read_only` | NOTE: Analytics endpoints require the Content (`store_v2_content` and `store_v2_content_read_only`) OAuth scope. ### Authentication header | Header | Argument | Description | |:-------|:---------|:------------| | `X-Auth-Token` | `access_token` | For more about API accounts that generate `access_token`s, see our [Guide to API Accounts](/developer/docs/overview/api-fundamentals/api-accounts#api-accounts). | ### Further reading For example requests and more information about authenticating BigCommerce APIs, see [Authentication and Example Requests](/developer/docs/overview/api-fundamentals/api-accounts#x-auth-token-header-example-requests). For more about BigCommerce OAuth scopes, see our [Guide to API Accounts](/developer/docs/overview/api-fundamentals/api-accounts#oauth-scopes). For a list of API status codes, see [API Status Codes](/developer/api-reference/rest/overview#rest-http-status-codes).

Path parameters

store_hashstringRequired
Permanent ID of the BigCommerce store.

Headers

AcceptstringRequiredDefaults to application/json
The [MIME type](https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types) of the response body.

Query parameters

channel_idintegerOptional

Channel ID to use for channel-specific settings. If omitted, you will interact with the global settings only.

Request

This endpoint expects an object.
csp_headerobjectOptional
hstsobjectOptional
sitewide_https_enabledbooleanOptional
x_frame_options_headerobjectOptional

Response

OK
dataobject
metaobject
Response metadata.

OAuth scopes

UI NamePermissionParameter
Information & Settingsmodifystore_v2_information
Information & Settingsread-onlystore_v2_information_read_only

NOTE: Analytics endpoints require the Content (store_v2_content and store_v2_content_read_only) OAuth scope.

Authentication header

HeaderArgumentDescription
X-Auth-Tokenaccess_tokenFor more about API accounts that generate access_tokens, see our Guide to API Accounts.

Further reading

For example requests and more information about authenticating BigCommerce APIs, see Authentication and Example Requests.

For more about BigCommerce OAuth scopes, see our Guide to API Accounts.

For a list of API status codes, see API Status Codes.

The MIME type of the response body.