Content-Security-Policy
A Content-Security-Policy HTTP header provides the ability to detect and mitigate some types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. It is by default set on all responses from the Spotfire Server, except for the Web Player service. If you have added custom JavaScript in a cobranding package or similar, you might need to set a custom policy, or even switch off the functionality.
config export-config --force
config set-config-prop -n security.content-security-policy.enabled -v false
config import-config -c "Disabled Content-Security-Policy"
config export-config --force
config set-config-prop -n security.content-security-policy.enabled -v true
config import-config -c "Enabled Content-Security-Policy"
config export-config --force
config set-config-prop -n security.content-security-policy.report-only -v true
config import-config -c "Switched to Content-Security-Policy-Report-Only"
When the Content-Security-Policy header is enabled, the server includes the HTTP header "Content-Security-Policy" in all responses, except for the Web Player service. The reason for this is that the Web Player requires a more permissive policy then the rest of the system.
config export-config --force
config set-config-prop -n security.content-security-policy.directive -v <value>
config import-config -c "Customized Content-Security-Policy"
The current policy is logged on INFO level during startup of the
server and any violations of the policy by default will be logged in the
csp-violations.log log file.
For more information about what you can specify as the
<value>
, see the documentation about Content
Security Policy (CSP) for your web browser.