The default installation of Server uses HTTP (unencrypted) to simplify the installation and configuration. We recommend deploying SSL/TLS certificates and enabling Server SSL/TLS (HTTPS) to encrypt the communication between the client and the Server. This enables the integrity and confidentiality of user sessions and affirms the Server’s identity. Go to Configure Server SSL/TLS for steps to do so.
Set the Gallery Default Run Mode
The Gallery Run Mode setting can provide enhanced security controls over workflow execution of potentially malicious actions. By default, the Gallery Run Mode is set to Unrestricted, which means there are no restrictions, and that any workflow can execute. Configuring this setting to Semi-safe or Safe will further protect the Server environment by preventing workflows from reading or writing data to a location that is not within the workflow staging directory or executing workflows containing restricted tools. This is a global setting that applies to the entire Server environment, but it can be overridden by administrators at the individual workflow level. Go to the Gallery help page to learn more about the Gallery Run Mode.
As an admin, you can specify the hosts you want to allow Server to serve in the Allowed Hosts field.
Use this as a security measure to prevent HTTP host header attacks. Enter fully qualified domain names (host/domain) 1 per line. Go to the Alteryx Server Configuration help page for more information.
Edit %ProgramFiles%\Alteryx\bin\server\config\alteryx.config to add custom headers that tighten CORS and other header-based security policies.
You might need to update or tailor some values for your environment and needs.
<httpHeaders> <header name="Cache-Control" value="no-store; max-age=0" /> <header name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains" /> <header name="X-Content-Type-Options" value="nosniff" /> <header name="Content-Security-Policy" value="default-src 'self'; img-src 'self' data:; font-src 'self' data:; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'; form-action 'self'" /> <header name="Access-Control-Allow-Origin" value="https://server.domain.tld" /> <header name="Vary" value="Origin" /> <header name="Referrer-Policy" value="no-referrer; strict-origin-when-cross-origin" /> </httpHeaders>