Optional security HTTP headers
The Spotfire Server can be configured to include extra security-oriented HTTP headers in its responses.
The headers in this section are optional. Only the header X-Content-Type-Options is included by default.
Enable these headers only if you know how they work and you understand the effects they can have on your deployment.
- X-Frame-Options
The X-Frame-Options HTTP header provides basic protection against some clickjacking attacks (also known as UI redress attacks). - X-XSS-Protection
The X-XSS-Protection HTTP header provides basic protection against some XSS attacks by indicating to the browser clients how they should use their built-in XSS protection filter. This functionality is enabled by default. - HTTP Strict-Transport-Security (HSTS)
The Strict-Transport-Security HTTP header provides support for the HTTP Strict Transport Security (HSTS) standard, as specified by RFC 6797. - Cache-Control
The Cache-Control header controls how the browser caches web resources. To make sure that no sensitive files are ever stored on the file system, enable the Cache-Control header to prevent the files from being cached by the browser. - X-Content-Type-Options
The X-Content-Type-Options HTTP header can be used to prevent user agents, such as web browsers or Spotfire Analyst clients, from guessing the MIME content type. Instead, they will always use the declared content type. - SameSite Cookie Attribute
The SameSite cookie attribute is used to determine whether to allow cookies to be accessed in different scenarios. You might need to change this value in scenarios where the Spotfire Server cookies are used as third-party cookies. For example, it might be needed when external web sites and Spotfire are interacting.
- X-Frame-Options
The X-Frame-Options HTTP header provides basic protection against some clickjacking attacks (also known as UI redress attacks). - X-XSS-Protection
The X-XSS-Protection HTTP header provides basic protection against some XSS attacks by indicating to the browser clients how they should use their built-in XSS protection filter. This functionality is enabled by default. - HTTP Strict-Transport-Security (HSTS)
The Strict-Transport-Security HTTP header provides support for the HTTP Strict Transport Security (HSTS) standard, as specified by RFC 6797. - Cache-Control
The Cache-Control header controls how the browser caches web resources. To make sure that no sensitive files are ever stored on the file system, enable the Cache-Control header to prevent the files from being cached by the browser. - X-Content-Type-Options
The X-Content-Type-Options HTTP header can be used to prevent user agents, such as web browsers or Spotfire Analyst clients, from guessing the MIME content type. Instead, they will always use the declared content type. - SameSite Cookie Attribute
The SameSite cookie attribute is used to determine whether to allow cookies to be accessed in different scenarios. You might need to change this value in scenarios where the Spotfire Server cookies are used as third-party cookies. For example, it might be needed when external web sites and Spotfire are interacting.
Parent topic: Security administration