This page describes a number of configuration options to increase the security of your CXO-Cockpit application. Basic knowledge of .NET configuration files is required to apply these options.
...
By default Cross-Origin Resource Sharing (CORS) settings should be disabled. CXO application does not require CORS because CXO-Dashboard-UI and CXO-API's since the website and its APIs are hosted on the same server.
If you have any valid reason why CORS should be enabledwould like to have CORS, you can do that in CXO Configurator by adjusting following settings:
- "Cross-Origin Resource Sharing (CORS): Enabled" to true
- "Cross-Origin Resource Sharing (CORS): Allowed origins" - comma separated list of allowed origins. (e.g. http://example1.com, https://example2.com)
The list of allowed origins should be as strict as possible.
To allow any port number you can use "*" at the end of the url (e.g. http://localhost*)
It is possible to allow any origin by specifying "*" string it he "Allowed origins" field. This setting is strongly discouraged since it is insecure configuration.
- "Cross-Origin Resource Sharing (CORS): Allow Credentials" setting should be always false by default.
...