Versions Compared

Version Old Version 6 New Version 7
Changes made by

Maarten Schilt (Deactivated)

Tomasz Marcula

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This page describes a number of configuration options to increase the security of your CXO-Cockpit application. Basic knowledge of .NET configuration files is required to apply these options.

...

After this component is installed, add the following configuration to the system.webServer section.

<configuration>
      

...

:
 

...

<system.webServer>

...

      

...

:

...

   <rewrite>

...

     <outboundRules>

...

      

...

<rule

...

name="Add

...

SameSite"

...

preCondition="No

...

SameSite">

...

        

...

<match

...

serverVariable="RESPONSE_Set_Cookie"

...

pattern=".*"

...

negate="false"

...

/>

...

        

...

<action

...

type="Rewrite"

...

value="{R:0};

...

SameSite=strict"

...

/>

...

      

...

</rule>

...

      

...

<preConditions>

...

        

...

<preCondition

...

name="No

...

SameSite">

...

          

...

<add

...

input="{RESPONSE_Set_Cookie}"

...

pattern="."

...

/>

...

          

...

<add

...

input="{RESPONSE_Set_Cookie}"

...

pattern=";

...

SameSite=strict"

...

negate="true"

...

/>

...

        

...

</preCondition>

...

      

...

</preConditions>

...

     </outboundRules>

...

   </rewrite>

...

 </system.webServer>
      

...

:
</configuration>

Cross-Origin Resource Sharing (CORS)

By default Cross-Origin Resource Sharing (CORS) settings should be disabled. CXO application does not require CORS because CXO-Dashboard-UI and CXO-API's are hosted on the same server.

If you have any valid reason why CORS should be enabled, you can do that in CXO Configurator by adjusting following settings:

  • "Cross-Origin Resource Sharing (CORS): Enabled" to true
  • "Cross-Origin Resource Sharing (CORS): Allowed origins" - comma separated list of allowed origins. 

The list of allowed origins should be as strict as possible. 

It is possible to allow any origin by specifying "*" string it he "Allowed origins" field. This setting is strongly discouraged since it is insecure configuration.

  • "Cross-Origin Resource Sharing (CORS): Allow Credentials" setting should be always false by default. 

If you have any valid reason why browser should send credentials with a cross-origin requests, you can change the setting to true.  Please be aware that changing this setting to true is strongly discouraged because it can cause potential security risks.

Image Added