This page describes a number of configuration options to increase the security of your CXO-Cockpit application. Basic knowledge of .NET configuration files is required to apply these options.
...
After this component is installed, add the following configuration to the system.webServer section.
<configuration>
:
<system.webServer>
:
<rewrite>
<outboundRules>
<rule name="Add SameSite" preCondition="No SameSite">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; SameSite=strict" />
</rule>
<preConditions>
<preCondition name="No SameSite">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=strict" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
</system.webServer>
:
</configuration>
Cross-Origin Resource Sharing (CORS)
By default Cross-Origin Resource Sharing (CORS) settings should be disabled. CXO application does not require CORS because CXO-Dashboard-UI and CXO-API's are hosted on the same server.
...
It is possible to allow any origin by specifying "*" string it he "Allowed origins" field. This setting is strongly discouraged since it is insecure configuration.
- "Cross-Origin Resource Sharing (CORS): Allow Credentials" setting should be always false by default.
...