Versions Compared

Version Old Version 17 New Version 18
Changes made by

Matija Lukic (Deactivated)

*Willem Van Den Brink (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This page describes a number of configuration options to adjust the security of your CXO -Cockpit application. Basic knowledge of .NET configuration files is required to apply these options.

Table of Contents

HTTP Strict Transport Security (HSTS)

Configuring HSTS ensures that all traffic with the server is done using secure HTTPS connections, when SSL/TLS is correctly configured for CXO-Cockpit. HSTS can be configured in the Web.config of CXO-Cockpit via the Configurator by adding the Strict-Transport-Security header to the customHeaders element in the system.webServer section.

<configuration>
        :
  <system.webserver>
        :
    <httpProtocol>
      <customHeaders>
        : 
        <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains"/>
        :
      </customHeaders>
    </httpProtocol>
        :
  </system.webserver>
        :
</configuration>

Secure Cookies

When using HTTPS protocol for the CXO -Cockpit website, it is advised to set the following flags on cookies:

...

<configuration>
       :
  <system.webServer>
       :
   <rewrite>
     <outboundRules>
       <rule name="Add SameSite" preCondition="No SameSite">
         <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
         <action type="Rewrite" value="{R:0}; SameSite=strict" />
       </rule>
       <preConditions>
         <preCondition name="No SameSite">
           <add input="{RESPONSE_Set_Cookie}" pattern="." />
           <add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=strict" negate="true" />
         </preCondition>
       </preConditions>
     </outboundRules>
   </rewrite>
 </system.webServer>
       :
</configuration>

Cross-Origin Resource Sharing (CORS)

From version 21.1.1, by default Cross-Origin Resource Sharing (CORS) settings are disabled, because CXO does not require CORS as the website and its APIs are hosted on the same server.

...

  • Set "Cross-Origin Resource Sharing (CORS): Enabled" to true. Default value is false.
  • Set "Cross-Origin Resource Sharing (CORS): Allowed origins" to a comma separated list of allowed origins (e.g. http://example1.com,  https://example2.com). Default value is an empty string (no origins allowed).
    • More info:
      • The list of allowed origins should be as strict as possible.
      • To allow multiple sub origins you can use "*" sign in the name e.g. (e.g. "https://*.example.com", "https://localhost*")
      • It is possible to allow any origin by specifying "*" string it he "Allowed origins" field. This setting is strongly discouraged since it is insecure configuration. We advise to use it only for in experimentation phase.

With CORS enabled, if you want to allow also sending credentials with a cross-origin requests, adjust the following settings

...