This page describes a number of configuration options to increase the security of your CXO-Cockpit application. Basic knowledge of .NET configuration files is required to apply these options.
HTTP Strict Transport Security (HSTS)
Configuring HSTS ensures that all traffic with the server is done using secure HTTPS connections, when SSL/TLS is correctly configured for CXO-Cockpit. HSTS can be configured in the Web.config of CXO-Cockpit via the Configurator by adding the Strict-Transport-Security header to the customHeaders element in the system.webServer section.
<configuration>
:
<system.webserver>
:
<httpProtocol>
<customHeaders>
:
<add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains"/>
:
</customHeaders>
</httpProtocol>
:
</system.webserver>
:
</configuration>
Secure Cookies
When using HTTPS protocol for the CXO-Cockpit website, it is advised to set the following flags on cookies:
- Secure. Enabling the Secure flag ensures that cookies are not sent over unsecure HTTP connections. This mitigates information leakage.
- SameSite. Enabling the SameSite flag ensure that cookies are only sent with request done from the same domain. With requests done by other websites, the cookies are not sent. This mitigates information leakage and risks of CSRF.
To add these flags to the cookies used by the CXO-Cockpit application, the Web.config file should be changed. This can be done through the Configurator.
Enable Secure flag
To enable the Secure flag on cookies set the attribute requireSSL on the httpCookies element in the system.web section.
<configuration>
:
<system.web>
:
<httpCookies ... requireSSL="true" />
:
</system.web>
:
</configuration>
Enable SameSite flag
To enable the SameSite flag on cookies the Web.config needs to be extended with a rewrite rule. To be able to use rewriting within IIS, the URL Rewrite component needs to be installed. More information can be found here: IIS Rewrite module.
After this component is installed, add the following configuration to the system.webServer section.
<configuration>
:
<system.webServer>
:
<rewrite>
<outboundRules>
<rule name="Add SameSite" preCondition="No SameSite">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; SameSite=strict" />
</rule>
<preConditions>
<preCondition name="No SameSite">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=strict" negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
</system.webServer>
:
</configuration>
Cross-Origin Resource Sharing (CORS)
By default Cross-Origin Resource Sharing (CORS) settings should be disabled. CXO application does not require CORS because CXO-Dashboard-UI and CXO-API's are hosted on the same server.
If you have any valid reason why CORS should be enabled, you can do that in CXO Configurator by adjusting following settings:
- "Cross-Origin Resource Sharing (CORS): Enabled" to true
- "Cross-Origin Resource Sharing (CORS): Allowed origins" - comma separated list of allowed origins.
The list of allowed origins should be as strict as possible.
It is possible to allow any origin by specifying "*" string it he "Allowed origins" field. This setting is strongly discouraged since it is insecure configuration.
- "Cross-Origin Resource Sharing (CORS): Allow Credentials" setting should be always false by default.
If you have any valid reason why browser should send credentials with a cross-origin requests, you can change the setting to true. Please be aware that changing this setting to true is strongly discouraged because it can cause potential security risks.
