Security settings

Security settings

The Security Settings page in ThoughtSpot UI allows administrators and developers to configure Content Security Policy (CSP), Cross-origin resource sharing (CORS), authentication, and access control settings.

Note

The following settings on the Security Settings page appear as locked for ThoughtSpot Analytics application users. These settings apply to ThoughtSpot embedding and require an embedding license:

Security settings for ThoughtSpot embeddingπŸ”—

Most web browsers block cross-site scripting, cross-domain requests, and third-party cookies by default. Web browsers also have built-in security mechanisms like same-origin and content security policies. These policies restrict how applications and scripts from one origin (domain) can interact with the resources hosted on another origin (domain). For embedded content and data security and to provide a seamless user experience, configure the settings described in this section.

Third-party cookiesπŸ”—

When ThoughtSpot is embedded in another application, it is considered a third-party application in the host application context. As a result, cookies from ThoughtSpot are blocked by Web browsers.

To avoid this issue, ThoughtSpot recommends the following:

Add domains to CSP and CORS allowlistsπŸ”—

To allow another application to embed ThoughtSpot, you must add your host application domain as a CSP Visual Embed host.

To allow your embedding application to call ThoughtSpot, access its resources, and render embedded content, add your host application domain URL as a trusted host for CORS.

To allow loading script interfaces and JavaScript events for custom actions, or to enable importing resources from other sites, add the source domain URLs as trusted hosts in the respective CSP allowlist.

Add CSP visual embed hostsπŸ”—

To allow your host domain to set the frame-ancestors CSP policy header and embed a ThoughtSpot object within your application frame, add your application domain as a CSP visual embed host.

  1. On your ThoughtSpot application instance, go to Develop > Customizations > Security settings.

  2. Click Edit.

  3. In the CSP visual embed hosts text box, add the domain names. For valid domain name formats, See Domain name format for CSP and CORS configuration.

  4. Click Save changes.

Note

Only users with a valid embed license can add Visual Embed hosts.

Add URLs to CSP connect-src allowlistπŸ”—

If you plan to create custom actions with URL targets, you must add the domain names of these URLs to the CSP connect-src allowlist. This allows JavaScript events triggered by the custom action URLs.

  1. On your ThoughtSpot application instance, go to Develop > Customizations > Security settings.

  2. Click Edit.

  3. In the CSP connect-src domains text box, add the domain names. For valid domain name formats, See Domain name format for CSP and CORS configuration.

  4. Click Save changes.

Add other trusted domainsπŸ”—

To import images, fonts, and stylesheets from external sites, or load the content from an external site using an iFrame element, you must add the source URLs as trusted domains in the CSP allowlist. For example, in the Liveboard Note tiles, if you want to insert an image from an external site or embed content from an external site in an iFrame, you must add domain URLs of these sites to the CSP allowList. Similarly, to import fonts and custom styles from an external source, you must add the source URL as a trusted domain in ThoughtSpot.

The following CSP settings are available on the Develop > Customizations > Security Settings page:

  • CSP img-src domains
    Add the domains from which you want to load images and favicons.

  • CSP font-src domains
    Add the domains from which you want to load fonts.

  • CSP style-src domains
    Add the domains from which you want to load stylesheets.

  • CSP frame-src domains
    Add the iframe source URL domains.

Note

If your application instance has Orgs, the CSP settings can be configured only at the cluster level.

Enable CORSπŸ”—

The CORS configuration for your cluster controls which domains can access and modify your application content. To allow your application to call ThoughtSpot or its REST API endpoints, and request resources, you must add your application domain to the CORS allowlist. For example, if your website is hosted on the example.com domain and the embedded ThoughtSpot content is hosted on the example.thoughtspot.com, you must add the example.com domain to the CORS allowlist for cross-domain communication. You can also add http://localhost:8080 to the CORS allowlist to test your deployments locally. However, we recommend that you disable localhost access in production environments.

If you enable CORS for your application domain, ThoughtSpot adds the Access-Control-Allow-Origin header in its API responses when your host application sends a request to ThoughtSpot.

To add domain names to the CORS allowlist, follow these steps:

  1. On your ThoughtSpot application instance, go to Develop > Customizations > Security settings.

  2. Click Edit.

  3. In the CORS whitelisted domains text box, add the domain names. For valid domain name formats, See Domain name format for CSP and CORS configuration.

  4. Click Save changes.

Domain name format for CSP and CORS configurationπŸ”—

Important

Note the following points if using port or protocol in the domain name string:

  • The UI allows you to add a domain URL with or without the protocol (http/https) in the CSP allowlist. To avoid long URLs in the CSP header, we recommend that you don’t include the protocol in the domain name string. However, for non-HTTPS domains, such as your local testing environment, do include http in the domain name string.

  • Although you can add a domain URL with the protocol (http/https) to the CORS allowlist, ThoughtSpot ignores the protocol in the domain names of CORS hosts. Therefore, you can exclude the protocol in the domain name strings.

  • If your domain URL has a non-standard port such as 8080, specify the port number in the domain name string.

  • You can add multiple domain names to the CORS and CSP Visual Embed hosts list on the Develop > Security Settings page. Ensure that the CORS and CSP host allowlist does not exceed 4096 characters.

The following table shows the valid domain name strings for the CORS and CSP allowlists.

Domain name formatCSP Visual Embed hostCSP connect-srcCORSCSP font-src
CSP style-src
CSP img-src

Domain URL strings without protocol

  • thoughtspot.com

  • www.thoughtspot.com

βœ“ Supported

βœ“ Supported

βœ“ Supported

βœ“ Supported

Domain URL strings for localhost

  • localhost

  • localhost:3000

  • http://localhost:3000

βœ“ Supported

βœ“ Supported

βœ“ Supported

βœ“ Supported

Domain URL strings without port

  • thoughtspot.com

  • mysite.com

If your domain URL has a non-standard port, for example mysite.com:8080, make sure you add the port number in the domain name string.

βœ“ Supported

βœ“ Supported

βœ“ Supported

βœ“ Supported

Wildcard (*) for domain URL

βœ“ Supported

βœ“ Supported

x Not supported

βœ“ Supported

Wildcard (*) before the domain name extension
https://*.com

x Not supported

x Not supported

x Not supported

x Not supported

Plain text string without the domain name extension.

thoughtspot

x Not supported

x Not supported

x Not supported

x Not supported

Domain name with wildcard (*) and a leading dot

.*.thoughtspot.com

x Not supported

x Not supported

βœ“ Supported

To avoid domain validation errors, make sure you add an escape character \ after the wildcard in the domain URL string:
.*\.thoughtspot.com

x Not supported

Wildcard before the domain name

*.thoughtspot.com

βœ“ Supported

βœ“ Supported

x Not supported

βœ“ Supported

Domain names with space, backslash (\), and wildcard (*).

  • www.*.*.thoughtspot.com

  • www.thoughtspot.com/*

  • thoughtspot .com

x Not supported

x Not supported

x Not supported

x Not supported

URLs with query parameters
http://thoughtspot.com?2rjl6

x Not supported

x Not supported

x Not supported

x Not supported

URLs with path parameters
thoughtspot.com/products

βœ“ Supported

βœ“ Supported

x Not supported

βœ“ Supported

URLs with path and query parameters
thoughtspot.com/products?id=1&page=2

x Not supported

x Not supported

x Not supported

x Not supported

IPv4 addresses
255.255.255.255

βœ“ Supported

βœ“ Supported

βœ“ Supported

βœ“ Supported

Semicolons as separators
thoughtspot.com; thoughtspot.com;

x Not supported

x Not supported

x Not supported

x Not supported

Comma-separated values
thoughtspot.com, thoughtspot.com

βœ“ Supported

βœ“ Supported

βœ“ Supported

βœ“ Supported

mail://xyz.com

x Not supported

x Not supported

x Not supported

x Not supported

Wildcard (*) for port

thoughtspot:*

βœ“ Supported

βœ“ Supported

βœ“ Supported

βœ“ Supported

Add permitted iFrame domainsπŸ”—

Some features in ThoughtSpot, such as Liveboard Note tiles and custom charts, allow iFrame content. If you are planning to embed content from an external site, make sure the domain URLs of these sites are added to the iFrame domain allowlist:

  1. On your ThoughtSpot application instance, go to Develop > Customizations > Security settings.

  2. Click Edit.

  3. In the Permitted iFrame domains text box, add the domain URL of the website or portal that you want to use for iFrame content.

  4. Click Save changes.

Block access to non-embedded ThoughtSpot pagesπŸ”—

If you have embedded ThoughtSpot content in your app, you may want your users to access only the ThoughtSpot pages embedded within the context of your host app. ThoughtSpot allows administrators to restrict user access to non-embedded application pages from the embedding application context or selectively grant access to specific user groups. For information, see Control User Access.