alteryx.config file httpHeaders parameter

jzamora — Mon, 14 Mar 2022 21:43:12 GMT

Can the following configuration be implemented in the httpHeaders parameter in the config file of Alteryx Server?:

Secure Mode in the header "Content-Security-Policy".
Cookies samesite header with value strict or lax.
Referrer-Policy Header withe reasonable values for “same-origin”, “strict- origin” and “no-referrer”.
Secure mode of the header X-Powered-By, X-Runtime, X-Version or X-AspNet-Version with the objective of not showing values.

Re: alteryx.config file httpHeaders parameter

carlosteixeira — Mon, 14 Mar 2022 22:09:01 GMT

Hi @jzamora how are you?

Yes, you can.

Take a look at this post:

https://community.alteryx.com/t5/Engine-Works/How-to-Cancel-Manual-Jobs-in-Alteryx-Server/ba-p/901921

I'm using something about it in the last part of the workflow when I send commands to the page to cancel the job.

I hope this help you.

Re: alteryx.config file httpHeaders parameter

jzamora — Mon, 21 Mar 2022 17:28:13 GMT

Answer provided by:

Becca Katzmann | Sr. Customer Support Engineer
support@alteryx.com | community.alteryx.com

The ability to add custom headers to lies within the 'alteryx.config' file located by default under%ProgramFiles%\Alteryx\bin\config\:

Open the 'alteryx.config' in text editor
Search the lines showing "OPTIONAL: httpHeaders"
By default, it will be like below:

<!--

OPTIONAL: httpHeaders

This lets you add additional/custom headers to be returned with all responses.

</httpHeaders>

Add Headers depending on your needs.
In this case, they added the about 4 lines to httpHeaders:

<!--

OPTIONAL: httpHeaders

This lets you add additional/custom headers to be returned with all responses.

</httpHeaders>

Additional Resources

You will need to be on 2018.3 or later version in order to utilize this feature
When upgrading in the future, this file will likely be wiped out and replaced, you will need to enter the changes back in again.
Please note the X-XSS-Protection header is deprecated and should no longer be used. The Content-Security-Policy header should be used in its place. Also the policy for this header is pretty site specific and can break Server if not configured properly.

· · <httpHeaders>· <header name="Cache-Control" value="no-store; max-age=0" />· <header name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains" />· <header name="X-Content-Type-Options" value="nosniff" />· <header name="Content-Security-Policy" value="default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'; form-action 'self'" />· <header name="Access-Control-Allow-Origin" value="https://{hostnameOrFQDN}" />· <header name="Vary" value="Origin" />· <header name="Referrer-Policy" value="no-referrer; strict-origin-when-cross-origin" />· </httpHeaders>

These headers should address most (if not all) of customer concerns reported via the last few security audit and penetration testing results I have seen. The Content-Security-Policy listed here is the strictest policy we could apply without breaking something. We do have an action item for the team to make a change so the 'data:' parameter for the img-src option will no longer be required in the future. There is also a item to remove the dependence on a remote CDN loaded style sheet that should allow for the 'unsafe inline' option to be removed in the future as well. I don't have an ETA for these changes though.

Please let me know if that goes through successfully and if you have any questions.

With kindness,

Becca Katzmann | Sr. Customer Support Engineer
support@alteryx.com | community.alteryx.com

Re: alteryx.config file httpHeaders parameter

jzamora — Mon, 21 Mar 2022 17:29:18 GMT

Hi Carlos,

Thanks for the response. Please look at the answer I got from Alteryx.

Best regards,

Re: alteryx.config file httpHeaders parameter

carlosteixeira — Mon, 21 Mar 2022 17:46:59 GMT

Thank's @jzamora for sharing it.

Awesome.

topic Re: alteryx.config file httpHeaders parameter in Alteryx Server Discussions

alteryx.config file httpHeaders parameter

Re: alteryx.config file httpHeaders parameter

Re: alteryx.config file httpHeaders parameter

Re: alteryx.config file httpHeaders parameter

Re: alteryx.config file httpHeaders parameter