Optional security HTTP headers
The Spotfire Server can be configured to include extra security-oriented HTTP headers in its responses.
The headers in this section are optional. The headers X-Content-Type-Options and the Content-Security-Policy are included by default.
Enable these headers only if you know how they work and you understand the effects they can have on your deployment.
- Content-Security-Policy
A Content-Security-Policy HTTP header provides the ability to detect and mitigate some types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. It is by default set on all responses from the Spotfire Server, except for the Web Player service. If you have added custom JavaScript in a cobranding package or similar, you might need to set a custom policy, or even switch off the functionality. - X-Content-Type-Options
The X-Content-Type-Options HTTP header can be used to prevent user agents, such as web browsers or Spotfire Analyst clients, from guessing the MIME content type. Instead, they will always use the declared content type. - X-Frame-Options
The X-Frame-Options HTTP header provides basic protection against some clickjacking attacks (also known as UI redress attacks). - HTTP Strict-Transport-Security (HSTS)
The Strict-Transport-Security HTTP header provides support for the HTTP Strict Transport Security (HSTS) standard, as specified by RFC 6797. - Cache-Control
The Cache-Control header controls how the browser caches web resources. To make sure that no sensitive files are ever stored on the file system, enable the Cache-Control header to prevent the files from being cached by the browser. - SameSite Cookie Attribute
The SameSite cookie attribute is used to determine whether to allow cookies to be accessed in different scenarios. You might need to change this value in scenarios where the Spotfire Server cookies are used as third-party cookies. For example, it might be needed when external web sites and Spotfire are interacting.
- Content-Security-Policy
A Content-Security-Policy HTTP header provides the ability to detect and mitigate some types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. It is by default set on all responses from the Spotfire Server, except for the Web Player service. If you have added custom JavaScript in a cobranding package or similar, you might need to set a custom policy, or even switch off the functionality. - X-Content-Type-Options
The X-Content-Type-Options HTTP header can be used to prevent user agents, such as web browsers or Spotfire Analyst clients, from guessing the MIME content type. Instead, they will always use the declared content type. - X-Frame-Options
The X-Frame-Options HTTP header provides basic protection against some clickjacking attacks (also known as UI redress attacks). - HTTP Strict-Transport-Security (HSTS)
The Strict-Transport-Security HTTP header provides support for the HTTP Strict Transport Security (HSTS) standard, as specified by RFC 6797. - Cache-Control
The Cache-Control header controls how the browser caches web resources. To make sure that no sensitive files are ever stored on the file system, enable the Cache-Control header to prevent the files from being cached by the browser. - SameSite Cookie Attribute
The SameSite cookie attribute is used to determine whether to allow cookies to be accessed in different scenarios. You might need to change this value in scenarios where the Spotfire Server cookies are used as third-party cookies. For example, it might be needed when external web sites and Spotfire are interacting.
Parent topic: Security administration