HTTP Response Headers
Tableau Server supports some of the response headers specified in the OWASP Secure Headers Project(Link opens in a new window).
This topic describes how to configure the following response headers for Tableau Server:
- HTTP Strict Transport Security (HSTS)
Tableau Server also supports the Content Security Policy (CSP) standard. CSP configuration is not covered in this topic. See Content Security Policy.
Configuring response headers
All response headers are configured with the tsm configuration set command.
When you are finished configuring response headers, run tsm pending-changes apply.
If the pending changes require a server restart, the
pending-changes apply command will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case there is no restart. You can suppress the prompt using the
--ignore-prompt option, but this does not change the restart behavior. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.
HTTP Strict Transport Security (HSTS)
HSTS forces clients connecting to Tableau Server to connect with HTTPS. For more information see the OWASP entry, HTTP Strict Transport Security (HSTS)(Link opens in a new window).
The HTTP Strict Transport Security (HSTS) header forces browsers to use HTTPS on the domain where it is enabled.
By default, HSTS policy is set for one year (31536000 seconds). This time period specifies the amount of time in which the browser will access the server over HTTPS.
Beginning in 2019.2, Tableau Server includes the ability to configure Referrer-Policy HTTP header behavior. This policy is enabled with a default behavior that will include the origin URL for all "secure as" connections (policy
no-referrer-when-downgrade). In previous versions, the Referrer-Policy header was not included in responses sent by Tableau Server. For more information about the various policy options that Referrer-Policy supports, see the OWASP entry, Referrer-Policy(Link opens in a new window).
To exclude the Referrer-Policy header from responses sent by Tableau Server, set this value to
This option defines the referrer policy for Tableau Server. You may specify any of the policy value strings listed in the Referrer-Policy(Link opens in a new window) table on the OWASP page.
The X-Content-Type-Options response HTTP header specifies that the MIME type in the Content-Type header should not be changed by the browser. In some cases, where MIME type is not specified, a browser may attempt to determine the MIME type by evaluating the characteristics of the payload. The browser will then display the content accordingly. This process is referred to as "sniffing." Misinterpreting the MIME type can lead to security vulnerabilities.
For more information see the OWASP entry, X-Content-Type-Options(Link opens in a new window).
The X-Content-Type-Options HTTP header is set to 'nosniff' by default with this option.
The HTTP X-XSS-Protection response header is sent to the browser to enable cross-site scripting (XSS) protection. The X-XSS-Protection response header overrides configurations in cases where users have disabled XXS protection in the browser.
For more information see the OWASP entry, X-XSS-Protection(Link opens in a new window).
The X-XSS-Protection response header is enabled by default with this option.