Alteryx Server Discussions

Answer provided by:

Becca Katzmann | Sr. Customer Support Engineer
support@alteryx.com | community.alteryx.com

The ability to add custom headers to lies within the 'alteryx.config' file located by default under%ProgramFiles%\Alteryx\bin\config\:
 

1. Open the 'alteryx.config' in text editor
2. Search the lines showing "OPTIONAL: httpHeaders"
   By default, it will be like below:

  <!--

      OPTIONAL: httpHeaders

      This lets you add additional/custom headers to be returned with all responses.

 <httpHeaders>

     <!--<header name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains" />-->

  </httpHeaders>

Add Headers depending on your needs.
In this case, they added the about 4 lines to httpHeaders:

<!-- 

    OPTIONAL: httpHeaders

This lets you add additional/custom headers to be returned with all responses.

   <httpHeaders>

     <!--<header name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains" />-->

<header name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains" />21.     <header name="X-XSS-Protection" value="1; mode=block" />

<header name="Content-Security-Policy" value="default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; frame-ancestors 'self'" />

<header name="X-Content-Type-Options" value="nosniff"/>

</httpHeaders>

Additional Resources
 

• You will need to be on 2018.3 or later version in order to utilize this feature
• When upgrading in the future, this file will likely be wiped out and replaced, you will need to enter the changes back in again.
• Please note the X-XSS-Protection header is deprecated and should no longer be used. The Content-Security-Policy header should be used in its place. Also the policy for this header is pretty site specific and can break Server if not configured properly. 

·         ·        <httpHeaders>·            <header name="Cache-Control" value="no-store; max-age=0" />·            <header name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains" />·            <header name="X-Content-Type-Options" value="nosniff" />·            <header name="Content-Security-Policy" value="default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'; form-action 'self'" />·            <header name="Access-Control-Allow-Origin" value="https://{hostnameOrFQDN}" />·            <header name="Vary" value="Origin" />·            <header name="Referrer-Policy" value="no-referrer; strict-origin-when-cross-origin" />·        </httpHeaders>

These headers should address most (if not all) of customer concerns reported via the last few security audit and penetration testing results I have seen. The Content-Security-Policy listed here is the strictest policy we could apply without breaking something. We do have an action item for the team to make a change so the 'data:' parameter for the img-src option will no longer be required in the future. There is also a item to remove the dependence on a remote CDN loaded style sheet that should allow for the 'unsafe inline' option to be removed in the future as well. I don't have an ETA for these changes though. 

Please let me know if that goes through successfully and if you have any questions. 

With kindness,

Becca Katzmann | Sr. Customer Support Engineer
support@alteryx.com | community.alteryx.com

Hi Carlos,

Thanks for the response. Please look at the answer I got from Alteryx.

Best regards,

JP