Client Security

Client Security offers hardening options for administrators to further lock down the client application. While the system remains secure without these options, there are often requirements or scenarios where admins would like to extend the standard security apparatus already in place.

Tip: If you want to secure the server-side options, see Server-Side Security.

Important: Always remember to apply any changes using the Apply button at the top-right of the workspace.

The Client Security settings impact the way the HTML clients and cookies are handled and secured:

Field

Description

Use Request Hash Security

Add a hash check to key client-side functions. This ensures that only authorized users are performing authorized activities on relevant content.

Pyramid recommends that you keep this checkbox selected.

Disable CORS

Cross-origin resource sharing (CORS) allows restricted resources on a web page to be requested from a domain outside of the domain from which the first resource was served. This capability is needed in Pyramid when using the embedding capabilities. An admin can choose to Disable Cross-origin resource sharing (CORS) and prevent Pyramid from accepting requests from other domains. Note: If this option is enabled, embedding capabilities are disabled.

  • Web Site Domains: If CORS is enabled, a white list of web domains should be provided that can be used for cross-domain access. This prevents degradation in client security. The white list should be a comma-separated list of site domains. All entries in the list must include the relevant protocol.

Iframe hosting

Set iframe hosting:

  • Allow: Enables iframe hosting. Iframes are commonly used for advertisements, embedded videos, web analytics and interactive content.
  • Deny: Blocks all iframe hosting. If iframe hosting is blocked, iframe embedding capabilities are disabled.
  • Same Origin: Allow iframes hosted in the same website domain as Pyramid only.

Same Site

Stops the browser from sending cookies along with cross-site requests. The goal is to lower the risk of a cross-origin information leak, and to offer some protection against cross-site forgery attacks.

  • Disable: Allows cookies to be sent.
  • Lax: Cookies are sent with GET requests or top-level navigation with a safe HTTP method.
  • Strict: Stops cookies being sent by the browser to the target site in all cross-site browsing contexts, including when following a regular link.

Enforce SSL secure cookies and pages

Ensures all cookies are flagged for operation with SSL encrypted websites (HTTPS) only. When this option is selected, the application is blocked from operating with plain HTTP.

Enable JavaScript actions

Allows users to configure JavaScript actions, as defined in Discover or Present, to execute a script in the browser. This could provide a security risk.

This option must be enabled to configure JavaScript actions that have been defined in Discover or Present to execute a script in the browser.

Cookie Timeout

Enforces cookie expiration with the ability to set the cookie timeout period. This ensures users must login to the application again when a cookie is marked as expired.

Set the timeout period to be between 30 minutes and 12 months.

Embed Cookie Timeout

This is only relevant if you are using embedded content.

Forces the embedded token to expire. In this scenario, you can use the pyramid.authFailure API to implement the behavior of this function. For example, you may want to redirect users to the Pyramid login page or show them a message. This requires users to log in to the application again when an embedded token is marked as expired.

Set the timeout period to be between 30 minutes and 12 months.

Hide query error messages from Viewer

Hides any query related errors, and associated query details, from non-admin users.