All back-end communication in a Spotfire environment is secured by HTTPS/TLS, complying with current security standards and industry best practices.

Spotfire Servers listen to incoming traffic from installed clients and web clients on one HTTP or HTTPS port, the front-end communication port.

Spotfire Servers listen to traffic from services on the nodes on another HTTPS port, the back-end communication port.

The secured back-end communication is based on certificates. After an administrator has approved the new server or node, the certificates are issued automatically. Without a certificate, a server or a service on a node cannot make requests to, or receive requests from, other entities, except for when requiring a certificate.

After being installed, a node performs a join request to a specific, unencrypted HTTP Spotfire Server port that only handles registration requests. The node remains untrusted until the administrator approves the request by trusting the node. The Spotfire Server start page provides the tools to add nodes to the environment by explicitly trusting them, thereby issuing the certificates. When the node receives its certificate, it can send encrypted communication over the HTTPS/TLS ports and with this it can start to send more than registration requests.