Skip to Main Content
Spotfire Ideas Portal
Status Future Consideration
Product Spotfire
Categories API
Created by Guest
Created on Mar 15, 2022

Provide tool to configure content security policy header aligned with the mashery product

Tibco in their Mashery product offers a safer and better way to set the header, the idea is to make the same tool available for Spotfire. As demands from our Security department are growing to configure more settings, manually changing the configuration is not sustainable anymore.

// Content Security Policy

<security> ...

<headers>

<directives>

<directive>

<action>add</action>

<enabled>true</enabled>

<name>Content-Security-Header</name>

<value>XXXXX

</value>

</directive>

</directives>

<properties />

</headers>


Together we added this Content Security Policy header according to Tibco's guide

https://docs.tibco.com/pub/spotfire_server/10.3.0/doc/html/TIB_sfire_server_and_environment_security/GUID-21E84B13-CC6C-4545-AC6E-F3063C8EC591.html


and using Google's Content-Security-Policy assistant

https://csp-evaluator.withgoogle.com

Note that this is an "unsafe" Content-Security-Policy that offers basic protection. Tibco in their Mashery product offers a safer and better way to set the header. So the product team will contact the vendor to find out if they can either migrate the Mashery tool to Spotfire or if they have any more suggestions on how to make the header safer. We might even be able to get away with removing unsafe-inline and unsafe-eval but that is for a future Content-Secuirty-Policy based on the vendors recommendations.


  • Attach files