Security HTTP Headers
The HTTP headers listed in this topic can be set using Spotfire configuration settings.
See the header help topics, linked from the table, for detailed instructions for configuring the header.
| Header | Default value | Comment |
|---|---|---|
| X-Frame-Options | Not set | Prevents clickjacking and framing of the Spotfire Server web interface by other web sites. If enabled (set to DENY), then the Spotfire Web Player JavaScript API stops working. See Mozilla's reference for X-Frame-Options for more information. |
| X-XSS-Protection | Not set | Controls how the built-in XSS filter for Internet Explorer, Chrome, and Safari should behave when detecting an XSS attack, and whether the filter is enabled. See Mozilla's reference for X-XSS-Protection for more information. |
| Strict-Transport-Security (HSTS) | Not set | Instructs the client that it should be accessed only using HTTPS, instead of using HTTP. See Mozilla's reference for Strict-Transport-Security for more information. |
| Cache-Control | Sets directives for caching mechanisms in requests and responses. See Mozilla's reference for Cache-Control for more information. | |
| X-Content-Type-Options | Not set | Prevents browser mime-sniffing in some cases. See Mozilla's reference for X-Content-Type-Options for more information. |
| SameSite Cookie Attribute | Unset | Used in cases where Spotfire Server cookies are used as third-party cookies. For example, it might be needed when external web sites and Spotfire are interacting. See the W3C specification and related documents of rfc6265bis for more information. |