The default installation of Server uses HTTP (unencrypted) to simplify the installation and configuration. We recommend deploying SSL/TLS certificates and enabling Server SSL/TLS (HTTPS) to encrypt the communication between the client and the Server. This enables the integrity and confidentiality of user sessions and affirms the Server’s identity. Go to Configure Server SSL/TLS for steps to do so.
Set the Default Run Mode
The Default Run Mode setting can provide enhanced security controls over workflow execution of potentially malicious actions. By default, the Default Run Mode is set to Unrestricted, which means there are no restrictions, and that any workflow can execute. Configuring this setting to Semi-safe or Safe will further protect the Server environment by preventing workflows from reading or writing data to a location that is not within the workflow staging directory or executing workflows containing restricted tools. This is a global setting that applies to the entire Server environment, but it can be overridden by administrators at the individual workflow level. Go to the Server UI help page to learn more about the Default Run Mode.
As an admin, you can specify the hosts you want to allow Server to serve in the Allowed Hosts field.
Use this as a security measure to prevent HTTP host header attacks. Enter fully qualified domain names (host/domain) 1 per line. Go to the Server Settings help page for more information.
Edit %ProgramFiles%\Alteryx\bin\server\config\alteryx.config to add custom headers that tighten CORS and other header-based security policies.
You might need to update or tailor some values for your environment and needs.
<httpHeaders> <header name="Cache-Control" value="no-store; max-age=0" /> <header name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains" /> <header name="X-Content-Type-Options" value="nosniff" /> <header name="Content-Security-Policy" value="default-src 'self'; img-src 'self' data:; font-src 'self' data:; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'; form-action 'self'" /> <header name="Access-Control-Allow-Origin" value="https://server.domain.tld" /> <header name="Vary" value="Origin" /> <header name="Referrer-Policy" value="no-referrer; strict-origin-when-cross-origin" /> </httpHeaders>