Versions Compared

Version Old Version 13 New Version 14
Changes made by

Tomasz Marcula (Deactivated)

Matija Lukic (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This page describes a number of configuration options to adjust the security of your CXO-Cockpit application. Basic knowledge of .NET configuration files is required to apply these options.

...

By default Cross-Origin Resource Sharing (CORS) settings should be are disabled. , because CXO application does not require CORS since as the website and its APIs are hosted on the same server.

If you would like to have CORS , you can do that in CXO Configurator by adjusting on CXO, adjust the following settings:

  • Set "Cross-Origin Resource Sharing (CORS): Enabled" to true. Default value is false.
  • Set "Cross-Origin Resource Sharing (CORS): Allowed origins" - to a comma separated list of allowed origins (e.g. http://example1.com,  https://example2.com). Default value is an empty string (no origins allowed).
    • More info:
      • The list of allowed origins should be as strict as possible.

...

      • To allow multiple sub origins you can use "*" sign in the name e.g. (e.g. "https://*.example.com", "https://localhost*")

...

      • It is possible to allow any origin by specifying "*" string it he "Allowed origins" field. This setting is strongly discouraged since it is insecure configuration. We advise to use it only for in experimentation phase.

With CORS enabled, if you want to allow also sending credentials with a cross-origin requests, adjust the following settings

  •  Set "Cross-Origin Resource Sharing (CORS): Allow Credentials" setting should be always false by default. 

...

  • to true. Default value is false.
    • More info:
      • Please be aware that allowing cross-origin credentials is a security risk. A website at another domain can send a signed-in user's credentials to the app on the user's behalf without the user's knowledge.
      • The CORS specification also states that setting allowed origins to "*" (all origins) is invalid if the Access-Control-Allow-Credentials header is present.

...

      • In case credentials are allowed for CORS, please make sure that "Cross-Origin Resource Sharing (CORS): Allowed origins" is not set "*" otherwise some browsers might refuse the requests.