This page describes a number of configuration options to adjust the security of your CXO application. Basic knowledge of .NET configuration files is required to apply these options.
...
- Set "Cross-Origin Resource Sharing (CORS): Enabled" to true. Default value is false.
- Set "Cross-Origin Resource Sharing (CORS): Allowed origins" to a comma separated list of allowed origins (e.g. http://example1.com, https://example2.com). Default value is an empty string (no origins allowed).
- More info:
- The list of allowed origins should be as strict as possible.
- To allow multiple sub origins you can use "*" sign in the name e.g. (e.g. "https://*.example.com", "https://localhost*")
- It is possible to allow any origin by specifying "*" string it he "Allowed origins" field. This setting is strongly discouraged since it is insecure configuration. We advise to use it only for in experimentation phase.
- More info:
With CORS enabled, if you want to allow also sending credentials with a cross-origin requests, adjust the following settings
...
Initial setup we provide is the following:
<system.webServer>
When setting up CSP we need to keep in mind some adjustments our customers need to make.
...
With adding the CSP header website that are configured in our WebView control will need to be added in the above web.config configuration. For example if the website that we want to add in WebView control is https://embedded.website.example.com CSP configuration in the web.config will look as following:
<system.webServer>