Keywords:
Spotfire Server, X-Frame-Options, SAMEORIGIN, clickjacking
Answer:
With configuration properties "security.x-frame-options.enabled" set to "true" and "security.x-frame-options.directive" set to "SAMEORIGIN", Spotfire pages can only be displayed if all ancestor frames are from the same origin (same domain). Spotfire Javascript API and embedded iframe pages will work as expected as long as same domain requirement has been met.
Additional details:
Spotfire Server environment can be protected against Clickjacking security vulnerability by setting optional configuration property "security.x-frame-options.enabled" to "true". This adds "X-Frame-Options" HTTP header in Spotfire responses to prevent this vulnerability, as described in this article:
Comments
0 comments
Article is closed for comments.