Alteryx Server Security Vulnerabilties

Rajan

Hi All,

Is there a config file for Alteryx Server that could be modified to resolve the below security defects - 

Also any documentation that can help us guide the changes for server environment - 

For eg: - 

Overly Permissive CORS Access Policy

SSL / TLS is not implemented

Missing X-XSS-Protection header

Missing X-Content-Type-Options header

KevinP

@Rajan Thank you for posting your concerns. Please note that Alteryx Server has supported SSL/TLS since at least version 10.0 and added support for TLS1.2 to both Server and Designer with version 11.5. This just needs to be properly configured and enabled. Please see the Configuring Alteryx Server for SSL: Obtaining and Installing Certificates article and the online Server help (https://help.alteryx.com/20193/server/configure/enable-gallery-ssl) for details.

Regarding your concerns on the additional headers you should note that the X-XSS-Protection header is not supported in most modern browsers (Firefox and Edge) and is in the process of being deprecated by Chrome (Chrome actually removed this with the release of version 78 today). As such you shouldn't utilize this header as most browsers will ignore it anyway.

If you do have a need to set a custom header or a specific header value there is an option/section in the alteryx.config file to add custom headers to the Gallery web service. This config file can be found in your installation path (typically: C:\Program Files\Alteryx\bin\config\alteryx.config). Inside the file is a <httpHeaders> section with a commented example header. You can add any headers with values meeting your requirements to this section of the config file. The entries should follow the provided example. Also please keep in mind that this configuration file may be overwritten with the default values on upgrade or reinstall. As such if you change this configuration you should backup the file and restore it post upgrade to ensure these settings changes are maintained.