Client Security
Client Security offers hardening options for administrators to further lock down the client application. While the system remains secure without these options, there are often requirements or scenarios where admins would like to extend the standard security apparatus already in place.
Tip: If you want to secure the server-side options, see Server-Side Security.
Important: Always remember to apply any changes using the Apply button at the top-right of the workspace.
The Client Security settings impact the way the HTML clients and cookies are handled and secured:
Field |
Description |
---|---|
Use Request Hash Security |
Add a hash check to key client-side functions. This ensures that only authorized users are performing authorized activities on relevant content. Pyramid recommends that you keep this checkbox selected. |
Disable CORS |
Cross-origin resource sharing (CORS) allows restricted resources on a web page to be requested from a domain outside of the domain from which the first resource was served. This capability is needed in Pyramid when using the embedding capabilities. An admin can choose to Disable Cross-origin resource sharing (CORS) and prevent Pyramid from accepting requests from other domains. Note: If this option is enabled, embedding capabilities are disabled.
|
Iframe hosting |
Set iframe hosting:
|
Stops the browser from sending cookies along with cross-site requests. The goal is to lower the risk of a cross-origin information leak, and to offer some protection against cross-site forgery attacks.
|
|
Enforce SSL secure cookies and pages |
Ensures all cookies are flagged for operation with SSL encrypted websites (HTTPS) only. When this option is selected, the application is blocked from operating with plain HTTP. |
Enable JavaScript actions |
Allows users to configure JavaScript actions, as defined in Discover or Present, to execute a script in the browser. This could provide a security risk. This option must be enabled to configure JavaScript actions that have been defined in Discover or Present to execute a script in the browser. |
Cookie Timeout |
Enforces cookie expiration with the ability to set the cookie timeout period. This ensures users must login to the application again when a cookie is marked as expired. Set the timeout period to be between 30 minutes and 12 months. |
Embed Cookie Timeout |
This is only relevant if you are using embedded content. Forces
the embedded token to expire. In
this scenario, you can use the Set the timeout period to be between 30 minutes and 12 months. |
Hide query error messages from Viewer |
Hides any query related errors, and associated query details, from non-admin users. |