Security scan shows 'Unprotected Files' on login level of Tableau Server

Issue

Some security scan results may flag 'Unprotected Files' on the root level of Tableau Server that can be accessed without authentication.

For example, these HTML files (and their compressed/gzipped equivalents) may likely look like the following list:

https://tableau.<servername>.com:443/vizportal.min.js
https://tableau.<servername>.com:443/rsa.js
https://tableau.<servername>.com:443/console-polyfill.js
https://tableau.<servername>.com:443/vizportalMinLibs.js
https://tableau.<servername>.com:443/messageformat.js
https://tableau.<servername>.com:443/js.cookie.js
https://tableau.<servername>.com:443/Underscore.js
https://tableau.<servername>.com:443/jquery.js
https://tableau.<servername>.com:443/javascripts/api/tableau-2.0.2.min.js
https://tableau.<servername>.com:443/en/embeddedAuth.html
https://tableau.<servername>.com:443/en/textBox.html
https://tableau.<servername>.com:443/en/passwordBox.html
https://tableau.<servername>.com:443/en/signingIn.html
https://tableau.<servername>.com:443/en/signInLogo.html
https://tableau.<servername>.com:443/en/login.html

Environment

Tableau Server

Resolution

The list of .gz files are HTML and javascript code that allow Tableau Server login to work properly. They do not pose a security risk.

Cause

The functionality within these scripts need to be available in this location for the login page and Guest user to function correctly. These files are pre-compressed versions of the corresponding .html and .js files and are produced when the product is built. There is no sensitive information nor dynamic content of any kind contained in these files. They are available to an unauthenticated user by design to provide UI functionality that allows a user to authenticate to the system.