Optional Security Hardening for Sisense Web Pages
This topic provides additional security options that can be applied for hardening the security of Sisense web pages for your needs.
By default, Sisense web pages have cookies that contain a secureFlag. This flag instructs the browser that the cookie should only be returned to the Sisense Web Application over encrypted connections (HTTPS).
Strict Transport Security
HTTP Strict Transport Security (HSTS) is a method for preventing any communications from being sent over HTTP to the specified domain and allows only communication over HTTPS. This is useful for preventing man-in-the-middle attacks or users with invalid certificates from accessing your dashboards. This is automatically applied when you enable SSL for the Sisense Web Application.
Allowed Domains for Embedded Dashboards
If you are embedding a dashboard on your website, you can control who can access the website by adding allowed domains to a whitelist.
Allowed Domains enable you to limit where your embedded dashboards can be viewed, even if someone takes the embed code from your page.
When you add a domain to the whitelist, Sisense includes the domain in the X-Frame Options header of the dashboard web page.
<add name=”X-Frame-Options” value=”ALLOW-FROM https://dashboardurl.com” />
To add your domain to a white list:
- In the Admin page, select Settings.
- Under Security Settings, enter your domain.
- Click Add.
- Click Save at the bottom of the page.