Each Content Server provides HTTP endpoints for blob up- and download as well as for processor usage data. These are internally used endpoints that are not supported for use by custom clients. You may configure whether authentication data for those endpoints is to be sent as part of the URL (which was the only way prior to CMCC 13) or as a request header field. While sending the token as a query parameter is inherently insecure, it is the default to keep backward compatibility. Unless connection to an older server (prior to CMCC 13) is required, it is recommended to set the corresponding properties to "false".

See Deployment Manual, section 4.4.7 Securing Session Authentication for Content Server HTTP Endpoints for details of configuration.