Security HTTP Headers
The HTTP headers listed in this topic can be set using Spotfire configuration settings.
See the header help topics, linked from the table, for detailed instructions for configuring the header.
| Header | Default value | Comment |
|---|---|---|
| X-Frame-Options | Not set | Prevents clickjacking and framing of the Spotfire Server web interface by other web sites. If enabled (set to DENY), then the Spotfire Web Player JavaScript API stops working. See Mozilla's reference for X-Frame-Options for more information. |
| Strict-Transport-Security (HSTS) | Not set | Instructs the client that it should be accessed only using HTTPS, instead of using HTTP. See Mozilla's reference for Strict-Transport-Security for more information. |
| Cache-Control | Sets directives for caching mechanisms in requests and responses. See Mozilla's reference for Cache-Control for more information. | |
| X-Content-Type-Options | nosniff | Prevents browser mime-sniffing in some cases. See Mozilla's reference for X-Content-Type-Options for more information. |
| SameSite Cookie Attribute | Unset | Used in cases where Spotfire Server cookies are used as third-party cookies. For example, it might be needed when external web sites and Spotfire are interacting. See the W3C specification and related documents of rfc6265bis for more information. |
| Content-Security-Policy | A default is set but is subject to change. Current policy is logged on INFO level during startup of the server. | Can be used to detect and mitigate some types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. See Mozilla's reference for Content Security Policy for more information. |