Security Settings

To update one or more Security settings:

  1. Click the Admin tab and, from the left-hand menu, click Security Settings, which is located under Security & Access.
  2. Update one or more of the following settings:
    • Embedded Domain White List: You can define which domains can embed your dashboards into iFrames on their site. This is useful for controlling where your dashboards can be embedded. In the Add Domain field, enter each domain where your dashboards can be embedded and click Add . If you do not add any domains, then your dashboards can be embedded into any site. After adding a domain, your dashboards can be embedded only in those domains.
    • Hide list of allowed domains: Limit the available embedded domains in the server response based on the ‘Referer’ or ‘Origin’ headers in the client app requests.


      If the client app does not send ‘Referer’ or ‘Origin’ headers, enabling this option will cause requests to fail.

    • Support Cross Site Cookies for Embedding: Select the value of the attribute Same-Site that is added to cookies when accessing Sisense. Select None if you are embedding Sisense or have implemented Sisense JS. In addition, Sisense recommends that you enable SSL when you select None. For more information about SSL, see Setting Up SSL for Sisense on Linux.
      Changing this setting will rotate the API token.
    • Enable CHIPS for Iframe-based Embedding: Add a ‘Partitioned’ attribute to the auth cookies to leverage CHIPS, a privacy-focused solution which addresses Chrome third-party cookies deprecation. For more information, see Third-Party Cookies. Compatible with IFrame-based embedding (IFrame and Embed SDK) only.


      The CHIPS solution is not compatible with Sisense.js or Composed SDK.

    • Session Management: You can choose which method to use for handling the expiration of your users' sessions: Cookie or Session Inactivity. For more information, see .
    • Number of failed login attempts before lockout: Enter the number of times a user can fail to log in before they're locked out of Sisense .
    • Lockout duration (minutes): Enter the number of minutes that a user is locked out of Sisense.
    • Allow only users in imported groups to log in: When connected to Active Directory, Sisense creates a new user for your Active Directory users when they try to log in. If you want to limit which Active Directory users can create an account, toggle this switch to enabled. Only users of a Sisense Active Directory group can create an account and log in.
    • Allowed Target URLs: Specify the whitelisted target URLs for redirect (make sure to include the Sisense URL). If the target URL is not in the allowed list, the redirect will be blocked and users will see a Forbidden message on the SSO callback page. If the list remains empty, all domains will be allowed for redirect.


    Only upload files from sources that you trust.

  3. Click Save to update your system settings.

Allowed Domains for Embedded Dashboards

If you are embedding a dashboard on your website, you can control who can access the website by adding allowed domains to a whitelist.

Allowed Domains enable you to limit where your embedded dashboards can be viewed, even if someone takes the embed code from your page.

When you add a domain to the whitelist, Sisense includes the domain in the X-Frame Options header of the dashboard web page.

For example:

<add name="X-Frame-Options" value="ALLOW-FROM" />


If you are browsing with Internet Explorer, you do not need to fill in Embedded Domains White List.

The header is not included by default. You can enable it from the Configuration Manager located at http://localhost:3030.

To add your domain to a white list:

  1. In the Admin page, select Security Settings.
  2. Under Security Settings, enter your domain and the port.
  3. Click Add.
  4. Click Save.


In Sisense V8.2.1 for Linux, following changes to the content-security-policy, the add-ons listed below did not work as expected as images and iFrames were not allowed.

To allow these add-ons to use images and iFrames, you need to modify the content-security-policy to allow domains where your resources are directed to. For example, if your resources such as an image were hosted on, you would need to allow this domain so your Viewers could see the images in your add-on.

To modify the content-secutity-policy:

  1. Access the Configuration Manager.
  2. Expand the Content Security Policy section.
  3. Enable Custom Content Security Policy.
  4. In the fields, Frames Domains and Images Domains, enter the domains where your iFrames and images are pointing to so they can be leveraged in your add-ons. You can use wildcards such as * to allow multiple or unknown domains. For more information about wildcards, Source List Reference here.
  5. Click Save.