Optional Security Hardening for Sisense Web Pages
To learn about security hardening in Linux, see Optional Security Hardening for Web Pages.
This topic provides additional security options that can be applied for hardening the security of Sisense web pages for your needs.
By default, Sisense web pages have cookies that contain a secureFlag when SSL is set on the Sisense server. This flag instructs the browser that the cookie should only be returned to the Sisense Web Application over encrypted connections (HTTPS).
For more information about enabling SSL, see Setting Up SSL for Sisense Linux.
CSRF is a type of exploit that allows attackers to perform unauthorized actions on behalf of a user that the web application trusts. For example, if you are logged into Sisense, and open another web page or email provided by the attacker, this can allow the attacker to exploit your authenticated session in Sisense and perform unwanted actions.
To prevent CRSF attacks on Sisense:
- In your browser, open the Configuration Manager located at http://localhost:3030.
- Toggle the CSRF Protection switch to Enabled.
Note: If you enable CSRF Protection, you cannot use SisenseJS, Sisense Mobile, or Sisense embedded in iFrames. To use CSRF Protection with your custom add-ons, see Cross-Site Request Forgery.
Account Lockout Thresholds
To prevent brute-force attacks, you can configure account lockout thresholds. For more information, see Account Lockout Thresholds.
Strict Transport Security
HTTP Strict Transport Security (HSTS) is a method for preventing any communications from being sent over HTTP to the specified domain and allows only communication over HTTPS. This is useful for preventing man-in-the-middle attacks or users with invalid certificates from accessing your dashboards. This is automatically applied when you enable SSL for the Sisense.
If you are embedding a dashboard on your website, you can control who can access the website by adding allowed domains to a whitelist.
Allowed Domains enable you to limit where your embedded dashboards can be viewed, even if someone takes the embed code from your page.
When you add a domain to the whitelist, Sisense includes the domain in the X-Frame Options header of the dashboard web page.
<add name=”X-Frame-Options” value=”ALLOW-FROM https://dashboardurl.com” />
The header is not included by default. You can enable it from the Configuration Manager located at http://localhost:3030.
To add your domain to a white list:
- In the Admin page, select Security Settings.
- Under Security Settings, enter your domain and the port.
- Click Add.
- Click Save at the bottom of the page.