Optional Security Hardening for Web Pages

Below are additional security options that can be applied for hardening the security of Sisense web pages for your needs.

Audit Log

Sisense provides audit logs. They can be enabled according to your company security policies. For additional information, see Audit Logs.

Content-Security-Policy

In Sisense V8.2.1 for Linux, following changes to the content-security-policy, the add-ons listed below did not work as expected as images and iFrames were not allowed.

To allow these add-ons to use images and iFrames, you need to modify the content-security-policy to allow domains where your resources are directed to. For example, if your resources such as an image were hosted on sisense.com, you would need to allow this domain so your Viewers could see the images in your add-on.

To modify the content-secutity-policy:

  1. Access the Configuration Manager.
  2. Expand the Content Security Policy section.
  3. Enable Custom Content Security Policy.

    If you enable this option, click Save at the bottom of the page and click OK to apply the changes and restart the relevant Sisense services.

  4. In the fields, Frames Domains and Images Domains, enter the domains where your iFrames and images are pointing to so they can be leveraged in your add-ons. You can use wildcards such as * to allow multiple or unknown domains. For more information about wildcards, Source List Reference here.
  5. Click Save to save your changes.

Cookie Security

By default, Sisense web pages have cookies that contain a secureFlag when SSL is set on the Sisense server. This flag instructs the browser that the cookie should only be returned to the Sisense Web Application over encrypted connections (HTTPS).

For more information about enabling SSL, see Setting Up SSL for Sisense on Linux.

Cross-Site Request Forgery (CSRF)

CSRF is a type of exploit that allows attackers to perform unauthorized actions on behalf of a user that the web application trusts. For example, if you are logged into Sisense, and open another web page or email provided by the attacker, this can allow the attacker to exploit your authenticated session in Sisense and perform unwanted actions.

To prevent CRSF attacks on Sisense:

  1. In your browser, open the Configuration Manager located at http://localhost:3030.
  2. Toggle the CSRF Protection switch to Enabled.
Note:

If you enable CSRF Protection, you cannot use SisenseJS, Sisense Mobile, or Sisense embedded in iFrames. To use CSRF Protection with your add-ons, see Cross-Site Request Forgery.

When CSRF Protection is enabled, an additional cookie is added for validation. If the domains of the parent application and Sisense are the same or a proxy is being used, then that cookie will be available from the parent application side and Sisense JS will be available to use. Otherwise, that cookie will not be available and Sisense JS will not be available as well.


Account Lockout Thresholds

To prevent brute-force attacks, you can configure account lockout thresholds. For more information, see Account Lockout Thresholds.

Strict Transport Security

HTTP Strict Transport Security (HSTS) is a method for preventing any communications from being sent over HTTP to the specified domain and allows only communication over HTTPS. This is useful for preventing man-in-the-middle attacks or users with invalid certificates from accessing your dashboards. This is automatically applied when you enable SSL for the Sisense.

Allowed Domains for Embedded Dashboards

If you are embedding a dashboard on your website, you can control who can access the website by adding allowed domains to a whitelist.

Allowed Domains enable you to limit where your embedded dashboards can be viewed, even if someone takes the embed code from your page.

When you add a domain to the whitelist, Sisense includes the domain in the X-Frame Options header of the dashboard web page.

For example:

<add name="X-Frame-Options" value="ALLOW-FROM https://dashboardurl.com" />

The header is not included by default. You can enable it from the Configuration Manager located at http://localhost:3030.

To add your domain to a white list:

  1. In the Admin page, search for and select Settings which is located under Security & Access.
  2. Under Security Settings, enter your domain and the port.

  3. Click Add.
  4. Click Save at the bottom of the page.

Allowed Origins for the WebSocket Connection

You can control the origins that are allowed to connect to Sisense via the WebSocket protocol.

To configure the list of allowed origins:

  1. On the [Admin] page, navigate to [Server & Hardware] → [System Management] → [Configuration].

  2. Switch to the extended settings view by clicking 5 times on the Sisense logo in the top-left corner of the page.

  3. Select the [Api-Gateway] service.

  4. Under the [Websockets] tile, locate the websockets.allowedHosts parameter.

  5. Enter a comma-separated list of the allowed origins.

Allowed origins list syntax:

  • Use of the http:// or https:// prefixes is optional

  • Add the port if a port other than 443 is used

Example: my.sisense.com,dashboards.sisense.com,1.2.3.4:30845

Notes:

  • You must add the origin of the Sisense application itself for the correct functioning of Sisense. If you embed Sisense using SisenseJS, you also need to list any origins that may load Sisense in embedded mode.

  • In Sisense versions L2023.1 and earlier, you must also add the following origin to the list: api-gateway-internal.sisense:14991