Spotfire® Server and Environment - Installation and Administration

Content-Security-Policy

A Content-Security-Policy HTTP header provides the ability to detect and mitigate some types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. It is by default set on all responses from the Spotfire Server, except for the Web Player service. If you have added custom JavaScript in a cobranding package or similar, you might need to set a custom policy, or even switch off the functionality.

The feature can be switched off by running the following commands in the <server installation directory>\tomcat\spotfire-bin directory on the command line. (For details on using the Spotfire command line, see Executing commands on the command line.) 
config export-config --force
config set-config-prop -n security.content-security-policy.enabled -v false
config import-config -c "Disabled Content-Security-Policy"
The feature can be switched on by running the following commands: 
config export-config --force
config set-config-prop -n security.content-security-policy.enabled -v true
config import-config -c "Enabled Content-Security-Policy"
When evaluating a new Content Security Policy, you can switch from using the Content-Security-Policy header to using the Content-Security-Policy-Report-Only header instead. This way you can read the effects of the policy in the log without blocking anything: 
config export-config --force
config set-config-prop -n security.content-security-policy.report-only -v true
config import-config -c "Switched to Content-Security-Policy-Report-Only"

When the Content-Security-Policy header is enabled, the server includes the HTTP header "Content-Security-Policy" in all responses, except for the Web Player service. The reason for this is that the Web Player requires a more permissive policy then the rest of the system.

The policy can also be customized by running the following commands: 
config export-config --force
config set-config-prop -n security.content-security-policy.directive -v <value>
config import-config -c "Customized Content-Security-Policy"
The current policy is logged on INFO level during startup of the server and any violations of the policy by default will be logged in the csp-violations.log log file.

For more information about what you can specify as the <value>, see the documentation about Content Security Policy (CSP) for your web browser.

Copyright © Cloud Software Group, Inc. All rights reserved.