Securing Your Decisions Installation

Last Updated: 01/17/2019 Introduced in Version:

The various settings that you can use to secure your Decisions Platform Installation are:

Secure Cookies: (This will work only on HTTPs)


Changes to be made:

C:\Program Files\Decisions\Decisions Web Host\web.config 

C:\Program Files\Decisions\Decisions Web Host\HUI\web.config

Add the line <httpCookies requireSSL=”true” /> in the System.Web Section

Update the Forms Tag as follows <forms loginUrl=”Login.aspx” defaultUrl=”Default.aspx” timeout=”20160″ slidingExpiration=”true” path=”/” name=”WFAuthCookie” requireSSL=”true”/>


Setting in Portal Settings:



Protecting against Cross-frame Scripting (XFS) attacks and clickjacking

Changes to be made: C:\Program Files\Decisions\Decisions Web Host\web.config


Add the following:




               <add name=”X-Frame-Options” value=”SAMEORIGIN” />




Implemented with the HTTP headers Content Security Policy and Cache Control and x content type options.




               <add name=”Content-Security-Policy” value=”default-src ‘self’; script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; img-src ‘self’ ‘unsafe-inline’ data:; style-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; font-src ‘self’ data:; worker-src ‘self’ ‘unsafe-inline’ blob:”  />

               <add name=”X-Content-Type-Options” value=”nosniff” />




Protecting against header injection attacks:

Ensure that you have the Host address setup in your IIS Binding. Note you can set multiple host headers here.


Excluding File Extensions

Navigate to System > Settings > Portal Settings under Globalization Settings within the Extensions Not Allowed text box users are able to add extensions within this text box that need to be excluded. 


Below is a list of extensions (executable/scripts) which can be restricted:

Additional Resources