Lighthouse Studio

Zoom Window Out
Larger Text | Smaller Text
Hide Page Header
Show Expanding Text
Print Topic
Share This Topic
Save Permalink URL

Survey Settings (Security Tab)

The Security tab on the Survey Settings dialog lets you customize the security headers that are transmitted from the hosting server and the user's browser. It is recommended to consult with your IT department before making changes to these settings.

Policy Overrides

The default settings work in most situations, but occasionally you might need to access resources such as images and fonts from another website than the hosting server or need to embed the survey in another window.

Allow images, videos, fonts, scripts, etc.

If the survey needs to access resources such as images, videos, fonts, or scripts from another domain, the security headers need to specify the allowed domain or domains. You can enter the domains separated by commas in the text box. For example, if the survey will use images from mydomain.com, you would enter https://mydomain.com in the text box.

Allow survey to be embedded in a <frame>, <iframe>, <embed> or <object>

If the survey needs to be embedded within another webpage, the security headers need to specify the domain or domains from which the survey will be embedded. You can enter the domains separated by commas in the text box. For example, if the survey will be embedded into a page at mydomain.com, you would enter https://mydomain.com in the text box.

For more information on embedding videos into surveys, see Appendix D.

Allow cookies to be used over insecure connections (HTTP)

If the survey is served from a server that does not use SSL (e.g., over HTTP), this needs to be enabled for cookies to work correctly. Cookies are used when restarting surveys.

Security Header Preview

This text box shows a preview of the headers that will be used.

NOTE: Beginning in version 9.16, we include a NONCE() script into the headers which is used to identify Javascript as safe.

CSRF Token

The CSRF Token protects the website against Cross-Site Request Forgery attacks. This type of attack exploits session cookies to submit state changing requests on the victim's behalf. This token also requires that your website is SSL-secured, which means that your website must begin with "https" rather than "http". If you are unable to get it SSL-secured, you can disable the CSRF token to prevent any error messages.

Because this protection relies on a CSRF token within a cookie, respondents cannot resume their surveys from a different browser than they started with.

Custom Security Headers

This area is for specifying custom security headers. When enabled, the headers will be used as typed into the text box. It will be your responsibility to make sure there are no errors in the headers.

NOTE: Beginning in version 9.16, we include a NONCE() script into the headers which is used to identify Javascript as safe. Removing this will reduce the security of your survey and may cause some functionality to stop working correctly.

Miscellaneous

Use security headers when testing survey locally

When checked, this will include the security headers when using the Test functionality. This does not apply when using Preview (security headers are not applied to previews).