- 6 minutes to read

DashboardPluginSettings - System Parameter

The Nodinite System Parameter DashboardPluginSettings provides granular security controls for Custom Dashboard Items, allowing administrators to fine-tune what HTML elements, scripts, and external resources are permitted in dashboard plugins. This parameter works in conjunction with the product key feature flag to enforce defense-in-depth security.

New 7.4.0

Important

DashboardPluginSettings is only functional if your Nodinite product key includes the Custom Dashboard feature flag. Without this flag, all custom dashboard plugins are disabled regardless of this parameter's configuration. Contact Nodinite support to request the feature flag.

System Parameter Name Data Type Values/Example Comment
DashboardPluginSettings JSON JSON object (see example below) Default = All security settings set to false for maximum security

Why This Matters for Your Business

  • Enterprise-Grade Security – Control exactly what custom dashboard plugins can execute, preventing unauthorized JavaScript, external API calls, and resource loading.
  • Flexible Security Posture – Enable only the features you need while maintaining strict controls on high-risk capabilities.
  • Compliance-Ready – Meet security audit requirements with documented, granular controls over custom HTML content.
  • Defense-in-Depth – Multiple security layers: product key authentication + content sanitization + this parameter's granular controls.
  • Zero-Trust Default – All dangerous capabilities disabled by default; must be explicitly enabled.

How It Works

The DashboardPluginSettings parameter uses a JSON structure to control four security-critical capabilities:

graph TD A[" User Accesses
Dashboard"] --> B{Product Key
Feature Flag?} B -- No --> C[" Custom Dashboards
Disabled"] B -- Yes --> D{Parse
DashboardPluginSettings} D --> E1[" AllowScripts?"] D --> E2[" AllowExternalContent?"] D --> E3[" AllowExternalCalls?"] D --> E4[" AllowExternalScripts?"] E1 -- false --> F1[" Block JavaScript
in iframe"] E1 -- true --> F2[" Enable JavaScript
in iframe"] E2 -- false --> G1[" Block External
Images/Fonts/CSS"] E2 -- true --> G2[" Load External
Resources"] E3 -- false --> H1[" Block External
API Calls"] E3 -- true --> H2[" Allow External
API Calls"] E4 -- false --> I1[" Block External
JavaScript Files"] E4 -- true --> I2[" Load External
Scripts"] style A fill:#87CEEB style B fill:#FFD700 style C fill:#FF6B6B style D fill:#90EE90 style E1 fill:#FFD700 style E2 fill:#FFD700 style E3 fill:#FFD700 style E4 fill:#FFD700 style F1 fill:#FF6B6B style F2 fill:#90EE90 style G1 fill:#FF6B6B style G2 fill:#90EE90 style H1 fill:#FF6B6B style H2 fill:#90EE90 style I1 fill:#FF6B6B style I2 fill:#90EE90

Diagram: DashboardPluginSettings security enforcement workflow showing how each setting controls specific dashboard plugin capabilities.

Security Controls

  1. AllowScripts (boolean) – If true, enables JavaScript execution within dashboard plugin iframes. Default: false.
  2. AllowExternalContent (boolean) – If true, allows loading external images, fonts, and CSS files. Default: false.
  3. AllowExternalCalls (boolean) – If true, plugins can make API calls to external servers. Default: false.
  4. AllowExternalScripts (boolean) – If true, plugins can load external JavaScript files from CDNs or third-party sources. Default: false.

Warning

Enabling any of these settings increases your security risk. Only enable capabilities you explicitly need, and ensure your HTML widget files come from trusted sources. All settings default to false for zero-trust security.

JSON Configuration Structure

The default secure configuration (all capabilities disabled):

{
  "AllowScripts": false,
  "AllowExternalContent": false,
  "AllowExternalCalls": false,
  "AllowExternalScripts": false
}

Example: Enable only internal API calls with JavaScript (for Log View counters):

{
  "AllowScripts": true,
  "AllowExternalContent": false,
  "AllowExternalCalls": false,
  "AllowExternalScripts": false
}

Example: Enable Power BI embedding (requires external content):

{
  "AllowScripts": true,
  "AllowExternalContent": true,
  "AllowExternalCalls": true,
  "AllowExternalScripts": false
}

Caution

Never enable all settings unless you have a specific, documented business requirement. The most permissive configuration (all true) should only be used in development/test environments with trusted content sources.

Prerequisites

Before configuring DashboardPluginSettings, ensure:

  1. Administrator Access – You must be a member of the built-in Administrator Role to change system parameters.
  2. File System Access – Dashboard plugin HTML files must be deployed to C:\Program Files\Nodinite\[Instance]\WebClient\Plugins\ by an administrator with server access.

Common Use Cases

Static HTML Announcements (Most Secure)

Scenario: Display environment badges and team announcements with no dynamic content.
Configuration: Default (all false)
Allowed Content: Static HTML, Bootstrap classes, Font Awesome icons

{
  "AllowScripts": false,
  "AllowExternalContent": false,
  "AllowExternalCalls": false,
  "AllowExternalScripts": false
}

Dynamic Log View Counters (Internal APIs Only)

Scenario: Display real-time log event counts using Nodinite internal Web API.
Configuration: Enable JavaScript only for Angular directive execution
Allowed Content: Angular directives (customJsonCountController), internal API calls

{
  "AllowScripts": true,
  "AllowExternalContent": false,
  "AllowExternalCalls": false,
  "AllowExternalScripts": false
}

Power BI Dashboard Embedding

Scenario: Embed Power BI reports with Nodinite data via Web API.
Configuration: Enable external content and calls for Power BI service
Allowed Content: Power BI embed iframes, external fonts, API calls to Power BI service

{
  "AllowScripts": true,
  "AllowExternalContent": true,
  "AllowExternalCalls": true,
  "AllowExternalScripts": false
}

Tip

Start with the most restrictive configuration (default) and incrementally enable only the capabilities you need after testing. Document your configuration changes and the business justification.

Security Best Practices

  1. Principle of Least Privilege – Only enable settings required for your specific use case.
  2. Code Review All Widgets – Manually inspect HTML files before deployment, even with security controls enabled.
  3. Restrict File System Access – Only allow trusted administrators to deploy plugin files to the Plugins\ folder.
  4. Monitor for Changes – Enable file system auditing on the Plugins\ directory to detect unauthorized modifications.
  5. Regular Security Reviews – Periodically review enabled settings and remove unnecessary capabilities.
  6. Test in Non-Production First – Validate security configurations in UAT/dev environments before production deployment.
  7. Document All Changes – Maintain a record of who changed settings, when, and why.

Troubleshooting

Custom Dashboards Not Appearing After Enabling Settings

Problem: DashboardPluginSettings configured with enabled capabilities, but custom dashboard plugins still don't appear.

Solution:

  1. Verify Product Key – Check Administration → Settings → License Information to confirm Custom Dashboard feature flag is present. If missing, contact Nodinite support.
  2. Check File Location – Ensure HTML files are in C:\Program Files\Nodinite\[Instance]\WebClient\Plugins\ with .html extension.
  3. Clear Browser Cache – Hard refresh with Ctrl+F5 (Windows) or Cmd+Shift+R (Mac).
  4. Review IIS Permissions – Verify IIS app pool identity has Read access to plugin files.

JavaScript Not Executing in Widgets

Problem: AllowScripts set to true, but JavaScript in widgets doesn't execute.

Solution:

  1. Verify JSON Syntax – Ensure DashboardPluginSettings value is valid JSON with no syntax errors.
  2. Check Browser Console – Open Developer Tools (F12) → Console tab to see JavaScript errors.
  3. Review Content Sanitization – Even with AllowScripts: true, certain JavaScript patterns (inline event handlers like onclick) may still be blocked by content sanitization.
  4. Test Incrementally – Start with simple JavaScript (console.log('test')) to verify execution works before adding complex logic.

External API Calls Blocked

Problem: AllowExternalCalls set to true, but external API requests fail.

Solution:

  1. CORS Configuration – External APIs must have proper CORS headers to allow requests from your Nodinite domain.
  2. HTTPS Requirements – Mixed content (HTTPS page loading HTTP resources) is blocked by browsers. Ensure external APIs use HTTPS.
  3. Network Firewall – Verify firewall rules allow outbound connections to external API endpoints.
  4. Browser Console – Check for CORS errors or blocked requests in Developer Tools → Network tab.

Version History

New 7.4.0

  • Version 7.4.0 – DashboardPluginSettings system parameter introduced with granular security controls for custom dashboard plugins.

Next Steps

How do I change the System Parameters?
Custom Dashboard Items – Complete guide to creating and deploying dashboard plugins
ProductKey System Parameter – Manage feature flags and licensing

Security Best Practices
System Parameters Overview
Dashboard Overview
Web Client
Administrator Role