alteryx.config file httpHeaders parameter

Question

Can the  following configuration be implemented in the httpHeaders parameter in the config file of Alteryx Server?:

* Secure Mode in the header "Content-Security-Policy".

* Cookies samesite header with value strict or lax.

* Referrer-Policy Header withe reasonable values for “same-origin”, “strict- origin” and “no-referrer”.

* Secure mode of the header X-Powered-By, X-Runtime, X-Version or X-AspNet-Version with the objective of not showing values.

carlosteixeira · Answer

Thank's @jzamora for sharing it.

Awesome.

jzamora · Answer

Hi Carlos,

Thanks for the response. Please look at the answer I got from Alteryx.

Best regards,

JP

jzamora · Answer

Answer provided by: Becca Katzmann | Sr. Customer Support Engineer support@alteryx.com | community.alteryx.com The ability to add custom headers to lies within the 'alteryx.config' file located by default under%ProgramFiles%\Alteryx\bin\config\: * Open the 'alteryx.config' in text editor * Search the lines showing "OPTIONAL: httpHeaders" By default, it will be like below: Add Headers depending on your needs. In this case, they added the about 4 lines to httpHeaders:

21.

Additional Resources * You will need to be on 2018.3 or later version in order to utilize this feature * When upgrading in the future, this file will likely be wiped out and replaced, you will need to enter the changes back in again. * Please note the X-XSS-Protection header is deprecated and should no longer be used. The Content-Security-Policy header should be used in its place. Also the policy for this header is pretty site specific and can break Server if not configured properly. · · ·

·

· These headers should address most (if not all) of customer concerns reported via the last few security audit and penetration testing results I have seen. The Content-Security-Policy listed here is the strictest policy we could apply without breaking something. We do have an action item for the team to make a change so the 'data:' parameter for the img-src option will no longer be required in the future. There is also a item to remove the dependence on a remote CDN loaded style sheet that should allow for the 'unsafe inline' option to be removed in the future as well. I don't have an ETA for these changes though. Please let me know if that goes through successfully and if you have any questions. With kindness, Becca Katzmann | Sr. Customer Support Engineer support@alteryx.com | community.alteryx.com