This page provides additional security options that can be applied for hardening the security of Sisense web pages for your needs.

If you’re new to Sisense, you can learn more about Sisense security here.

Cookie Security

You can make your Sisense web page cookies more secure by adding a secureFlag to your web pages. This flag instructs the browser that the cookie should only be returned to the Sisense Web Application over encrypted connections (HTTPS).

To add a secureFlag, a new property, “secureCookie”, was added to the POST /settings/security endpoint in Sisense REST V0.9. This boolean adds a “secureFlag” to cookies of users who connect to the Sisense Web Application. This flag instructs the browser that the cookie should only be returned to the Sisense Web Application over encrypted connections (HTTPS).

Strict Transport Security

HTTP Strict Transport Security (HSTS) is a method for preventing any communications from being sent over HTTP to the specified domain and allows only communication over HTTPS. This is useful for preventing man-in-the-middle attacks or users with invalid certificates from accessing your dashboards.

In the Sisense web.config file, you can add a custom header that informs the browser that it should never load a site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.

Sisense has added the following line in the <customHeaders> section that is commented out by default.

<!– <add name=”Strict-Transport-Security” value=”max-age=31536000″ /> –>

You can remove the comments to restrict communication to HTTPS requests only.

For a more secure option, you can add includeSubDomains which restricts communication to HTTPS from all domains and their subdomains.

<add name=”Strict-Transport-Security” value=”max-age=31536000; includeSubDomains“/>

To implement HTTP Strict Transport Security:

  1. Open the web.config file located at: C:\Program Files\Sisense\PrismWeb
  2. Remove the comments (<!–  and –>) from the following lines under <customHeaders>
    <!– <add name=”Strict-Transport-Security” value=”max-age=31536000″ /> –>
  3. Save the web.config file.

X-Frame-Options and Content-Security-Policy Headers

If you have embedded your Sisense dashboard into your site, you can configure an X-Frame-Options header to defend against clickjacking attacks. This will prevent other web pages from framing your dashboard by indicating whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object>.

X-Frame-Options Header Types

There are three possible values for the X-Frame-Options header:

  • DENY: Prevents any domain from framing the content. If you do not embed your dashboard with iframes, use this option to prevent any domain from framing your dashboard.
  • SAMEORIGIN: Allows only the current site to frame the content.
  • ALLOW-FROM uri: Permits only the specified ‘uri’ to frame this page and prevents all other domains. (e.g., ALLOW-FROM http://www.example.com)

Browser Support

The following browsers support X-Frame-Options headers.

Browser DENY/SAMEORIGIN Support Introduced ALLOW-FROM Support Introduced
Chrome 4.1.249.1042 Doesn’t support
Firefox 3.6.9 (1.9.2.9) 18.0
Internet Explorer 8.0 9.0
Opera 10.50 Not supported in Opera 26 or below
Safari 4.0 Doesn’t support – Supports CSP frame-ancestors instead

Setting X-Frame-Options

You can set the X-Frame-Options for your dashboards in the Sisense web.config file. This file contains a section where custom headers are defined for the webpages where your dashboards are hosted.

To set the X-Frame-Options header:

  1. Open the web.config file located at: C:\Program Files\Sisense\PrismWeb
  2. Remove the comments (<!–  and –>) from the following lines under <customHeaders>
    <!– <add name=”X-Frame-Options” value=”ALLOW-FROM” /> –>
    <!– <add name=”Content-Security-Policy” value=”frame-ancestors :host” /> –>
    For IE:
    <add name=”X-Frame-Options” value=”ALLOW-FROM https://dashboardurl.com” />
    For other browsers:
    <add name=”Content-Security-Policy” value=”frame-ancestors https://dashboardurl.com”/>
    For both:
    <!– <add name=”X-Frame-Options” value=”ALLOW-FROM https://dashboardurl.com” /> –>
    <!– <add name=”Content-Security-Policy” value=”frame-ancestors https://dashboardurl.com” /> –>
  3. Save the web.config file.