KNOWLEDGE BASE

Security scan shows 'Unprotected Files' on login level of Tableau Server


Published: 10 Aug 2016
Last Modified Date: 29 Mar 2018

Issue

Some security scan results may flag 'Unprotected Files' on the root level of Tableau Server that can be accessed without authentication.

For example, these HTML files (and their compressed/gzipped equivalents) may likely look like the following list:

https://tableau.<servername>.com:443/vizportal.min.js
https://tableau.<servername>.com:443/rsa.js
https://tableau.<servername>.com:443/console-polyfill.js
https://tableau.<servername>.com:443/vizportalMinLibs.js
https://tableau.<servername>.com:443/messageformat.js
https://tableau.<servername>.com:443/js.cookie.js
https://tableau.<servername>.com:443/Underscore.js
https://tableau.<servername>.com:443/jquery.js
https://tableau.<servername>.com:443/javascripts/api/tableau-2.0.2.min.js
https://tableau.<servername>.com:443/en/embeddedAuth.html
https://tableau.<servername>.com:443/en/textBox.html
https://tableau.<servername>.com:443/en/passwordBox.html
https://tableau.<servername>.com:443/en/signingIn.html
https://tableau.<servername>.com:443/en/signInLogo.html
https://tableau.<servername>.com:443/en/login.html

Environment

  • Tableau Server

Resolution

The list of .gz files are HTML and javascript code that allow Tableau Server login to work properly. They do not pose a security risk.

Cause

The functionality within these scripts need to be available in this location for the login page and Guest user to function correctly.  These files are pre-compressed versions of the corresponding .html and .js files and are produced when the product is built. There is no sensitive information nor dynamic content of any kind contained in these files. They are available to an unauthenticated user by design to provide UI functionality that allows a user to authenticate to the system.
Did this article resolve the issue?