HTTP Response Headers
Tableau Server supports some of the response headers specified in the OWASP Secure Headers Project(Link opens in a new window).
This topic describes how to configure the following response headers for Tableau Server:
- HTTP Strict Transport Security (HSTS)
- Referrer-Policy
- X-Content-Type-Options
- X-XSS-Protection
Tableau Server also supports the Content Security Policy (CSP) standard. CSP configuration is not covered in this topic. See Content Security Policy.
Configuring response headers
All response headers are configured with the tsm configuration set command.
When you are finished configuring response headers, run tsm pending-changes apply.
If the pending changes require a server restart, the pending-changes apply
command will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case, there is no restart. You can suppress the prompt using the --ignore-prompt
option, but this does not change the restart behaviour. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.
HTTP Strict Transport Security (HSTS)
HSTS forces clients connecting to Tableau Server to connect with HTTPS. For more information see the OWASP entry, HTTP Strict Transport Security (HSTS)(Link opens in a new window).
Options
gateway.http.hsts
Default value: false
The HTTP Strict Transport Security (HSTS) header forces browsers to use HTTPS on the domain where it is enabled.
gateway.http.hsts_options
Default value: "max-age=31536000"
By default, HSTS policy is set for one year (31536000 seconds). This time period specifies the amount of time in which the browser will access the server over HTTPS.
Referrer-Policy
Beginning in 2019.2, Tableau Server includes the ability to configure Referrer-Policy HTTP header behaviour. This policy is enabled with a default behaviour that will include the origin URL for all "secure as" connections (policy no-referrer-when-downgrade
). In previous versions, the Referrer-Policy header was not included in responses sent by Tableau Server. For more information about the various policy options that Referrer-Policy supports, see the OWASP entry, Referrer-Policy(Link opens in a new window).
Options
gateway.http.referrer_policy_enabled
Default value: true
To exclude the Referrer-Policy header from responses sent by Tableau Server, set this value to false
.
gateway.http.referrer_policy
Default value: no-referrer-when-downgrade
This option defines the referrer policy for Tableau Server. You may specify any of the policy value strings listed in the Referrer-Policy(Link opens in a new window) table on the OWASP page.
X-Content-Type-Options
The X-Content-Type-Options response HTTP header specifies that the MIME type in the Content-Type header should not be changed by the browser. In some cases, where MIME type is not specified, a browser may attempt to determine the MIME type by evaluating the characteristics of the payload. The browser will then display the content accordingly. This process is referred to as "sniffing". Misinterpreting the MIME type can lead to security vulnerabilities.
For more information see the OWASP entry, X-Content-Type-Options(Link opens in a new window).
Option
gateway.http.x_content_type_nosniff
Default value: true
The X-Content-Type-Options HTTP header is set to 'nosniff' by default with this option.
X-XSS-Protection
The HTTP X-XSS-Protection response header is sent to the browser to enable cross-site scripting (XSS) protection. The X-XSS-Protection response header overrides configurations in cases where users have disabled XXS protection in the browser.
For more information see the OWASP entry, X-XSS-Protection(Link opens in a new window).
Option
gateway.http.x_xss_protection
Default value: true
The X-XSS-Protection response header is enabled by default with this option.