AgileApps Support Wiki Pre Release

Difference between revisions of "Security Headers Settings"

From AgileApps Support Wiki
imported>Aeric
imported>Aeric
Line 15: Line 15:


===ISV Level Settings===
===ISV Level Settings===
1. Login to Longjump.
1. Login to Longjump.<br>
2. Go to Settings > Service Provider Settings > Service Configuration.
2. Go to Settings > Service Provider Settings > Service Configuration.<br>
3. In Security Headers Configuration, type the domain names which you want to whitelist. An example is as follows:
3. In Security Headers Configuration, type the domain names which you want to whitelist. An example is as follows:<br>
::[[File:isv_settings_new.png|100px]]
:[[File:isv_settings_new.png|300px]]
4.
4. Click Save.
 
===Company Information Settings===
In the Company Information page, you can perform tenant level configuration for CSP and CORS as follows:
1. Click Settings > Administration > Account Management > Company Information.
2. Click '''Edit'''. The '''Update Company Information''' page appears.
3. In the Security Headers Settings section, type the domain names which you want to whitelist. An example is as follows:<br>
:[[File:company_info_csp_cors|300px]].
4. After you make the changes, click '''Save'''.

Revision as of 15:58, 10 May 2020

Overview

This feature brings to AgileApps an additional security layer in content loading and cross origin resource sharing policies with Content Security Policy (CSP) and Cross-Origin Resource Sharing (CORS) mechanisms. It resolves possible security attacks related to cross-origin by supporting additional HTTP headers for CSP and CORS. A use case for this feature is as follows: AgileApps functionalities allows the users to load custom user interface components like images, JavaScript, CSS, font, and so on from a different origin, to customize an application for their preferred look and feel. Also, AgileApps allows access of its resources to other products from different origins. This may create a possible security risk. It enables you to whitelist valid and genuine domain or origin in ISV level and tenant level configurations, which could then be surpassed by the AgileApps platform while loading content and allowing cross-origin access.

Prerequisites

For all new installations, the CORS and CSP security headers are applicable by default. No additional steps are required to activate this. All the latest browsers support CSP and CORS security headers. However, we recommended you verify your browser’s support for these headers. For information on supported browsers, see Software Requirements. When you upgrade an existing environment, then you have to manually port the value for init parameters in the web.xml file for CORSFilter to the target environment.

Basic Flow

You can provide separate domains at tenant level, which impacts only the respective tenants. There is no impact to the other tenants within a single environment. However, whitelisted domains mentioned at ISV level configuration are applicable to all the tenants in that environment.

ISV Level Settings

1. Login to Longjump.
2. Go to Settings > Service Provider Settings > Service Configuration.
3. In Security Headers Configuration, type the domain names which you want to whitelist. An example is as follows:

Isv settings new.png

4. Click Save.

Company Information Settings

In the Company Information page, you can perform tenant level configuration for CSP and CORS as follows: 1. Click Settings > Administration > Account Management > Company Information. 2. Click Edit. The Update Company Information page appears. 3. In the Security Headers Settings section, type the domain names which you want to whitelist. An example is as follows:

300px.

4. After you make the changes, click Save.