'X-XSS-Protection' header

The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading, when they detect reflected cross-site scripting (XSS) attacks. This header is now added by default in the application and no additional configuration is needed.


Enforce HTTPS

SigningHub web enforces HTTPS to encrypt data transmitted between the client and server. The SigningHub configures this in the application itself and no other configuration is required.


Cross-Site Request Forgery (CSRF)

The SigningHub implements anti-forgery token to protect your application from CSRF attacks. The SigningHub implements this in application by default and no configurations are required.


CORS Policy

The Signinghub implements CORS policies to control how the resources are accessed from the external domains. By default everything is allowed but it can be configured in appsettings.Production.json in following section:

"Cors": {

  "Policy": "AllowAll",

  "Headers": "*"} 


HTTP Strict Transport Security (HSTS)

Signinghub implements HSTS to protect from protocol downgrade attacks and cookie hijacking by ensuring that browsers only communicate with server over HTTPS. Following configurations can be set in appsettings.Production.json accordingly, and ExcludedHosts can be set explicitly as per need:

"Hsts": {

  "Preload": "true",

  "IncludeSubDomains": "true",

  "MaxAge": "60",

  "ExcludedHosts": ""}       (Optional)

If this Optional parameter is specified, this rule applies to all of the site's sub-domains as well.


HTTP Public Key Pinning header

The HTTP Public-Key-Pins response header associates a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. If one or several keys are pinned and none of them is used by the server, the browser will not accept the response as legitimate, and will not display it. To enable Key Pinning, add the following header in HTTP Response Headers of IIS against SigningHub Desktop Web website:

Public-Key-Pins: pin-sha256="<pin-value>"; 

max-age=<expire-time>; 

includeSubDomains 

pin-sha256 


pin-sha256: The quoted string is the Base64 encoded Subject Public Key Information (SPKI) fingerprint. It is possible to specify multiple pins for different public keys. Some browsers might allow other hashing algorithms than SHA-256 in future.


max-age: The time, in seconds, that a browser should remember that this site is only to be accessed using one of the defined keys e.g. 31536000.

 

includeSubDomains: If this Optional parameter is specified, this rule applies to all of the site's sub domains as well.


TLS Fallback SCSV

To work around interoperability problems with legacy servers, many TLS client implementations do not rely on the TLS protocol version negotiation mechanism alone. They will intentionally reconnect using a downgraded protocol if initial handshake attempts fail.  Such clients may fallback to connections in which they announce a version as low as TLS 1.0 (or even its predecessor, Secure Socket Layer (SSL) 3.0) as the highest supported version. To avoid the TLS Fallback SCSV attacks, it is recommended to disable all TLS protocols except TLS 1.2. Click here for instructions to disable the weak protocols.

SSL Medium Strength Cipher Suites 

SigningHub does not use the Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES), so you can disable them to avoid any misuse. Click here for instructions to disable the weak or medium ciphers.

 

Hiding Application Errors and Server Information

Printing of an exception in browser, server OS information, application data or version number can be of great value for an attacker. By default this is turned off to help troubleshooting errors, however when deployed in production then this should be turned on. It can be turned on by setting "DetailedErrors": true in the appsettings.Production.json.

 

Content Security Policy Header

This header helps to prevent code injection attacks like cross-site scripting and click-jacking by telling the browser which dynamic resources are allowed to load. The value of the Content-Security-Policy header is made up of x segments separated by a semicolon; self translates to the same origin as the HTML resource. With this minimum configuration, your HTML is allowed to fetch JavaScripts, stylesheets etc. from the same domain that served the HTML referencing of the resources. You won't be able to include external scripts from CDNs and similar. This header is added in web.config and you need to change the SigningHub URLs accordingly:

object-src 'none'; default-src 'self' https://client.go-sign-desktop.com:8782/gosign-desktop; script-src  'self' 'unsafe-inline' 'unsafe-eval' https://www.dropbox.com [ADSS_URL]/adss/gosign/ https://seal.globalsign.com/SiteSeal/ https://az416426.vo.msecnd.net/ https://googleads.g.doubleclick.net https://www.googleadservices.com https://www.googletagmanager.com https://bat.bing.com https://az416426.vo.msecnd.net https://www.google.com/recaptcha https://www.google.com/recaptcha/api.js https://www.gstatic.com/recaptcha/ http://apis.google.com https://docs.google.com/picker https://js.live.net https://www.google-analytics.com https://client.go-sign-desktop.com:8782/gosign-desktop https://graph.microsoft.com/v1.0/drive/items/ https://api.taxamo.com/js/v1/taxamo.all.js [API_URL] [WEB_URL]; style-src 'self' 'unsafe-inline'; img-src 'self' * data: blob:; font-src 'self' https://fonts.gstatic.com/ data:; connect-src 'self' https://www.google-analytics.com https://test.eideasy.com/api/ https://app.powerbi.com https://stats.g.doubleclick.net https://graph.microsoft.com/v1.0/ https://dc.services.visualstudio.com/v2/track https://graph.microsoft.com/v1.0/drive/items https://client.go-sign-desktop.com:8782 [ADSS_URL]/adss/gosign/handler https://client.go-sign-desktop.com:8782/gosign-desktop https://graph.microsoft.com/v1.0/me/drive/items/ [API_URL] [WEB_URL]; child-src 'self' https://docs.google.com/picker https://client.go-sign-desktop.com:8782/gosign-desktop https://accounts.google.com https://api.taxamo.com/ https://t1c.t1t.io:51983/info https://c.taxamo.com/ https://p.taxamo.com/ https://www.google.com/ https://t1c.t1t.io https://acc-ds.t1t.io/v3/tokens/application; frame-src https://api.taxamo.com/ https://p.taxamo.com/ https://app.powerbi.com/; frame-ancestors 'none';

Please update the below mentioned placeholders, in the CSP header:


[API_URL]
[WEB_URL]
[ADSS_URL]    (This is for local-side signing using ADSS Go>Sign)


Add the following URLs in connect-src for Belgian eID Card, in addition to the above CSP headers:


https://client.localmiddleware.be:20202/version 
https://client.localmiddleware.be:20202/status 
https://client.localmiddleware.be:20202/events 
https://client.localmiddleware.be:20202/session 
https://client.localmiddleware.be:20202/eID/signingSession 
https://client.localmiddleware.be:20202/eID/id 
https://client.localmiddleware.be:20202/eID/nonRepudiationCertificate 
https://client.localmiddleware.be:20202/eID/citizenCertificate 
https://client.localmiddleware.be:20202/eID/rootCertificate 
https://client.localmiddleware.be:20202/eID/signRsa


Add the following URLs in child-src and the last one in script-src for Stripe, in addition to the above CSP headers:


https://api.taxamo.com/
https://c.taxamo.com/
https://p.taxamo.com/
https://api.taxamo.com/js/v1/taxamo.all.js


Add the following URLs in connect-src for T1C signing, in addition to the above CSP headers:


https://t1c.t1t.io 
https://t1c.t1t.io:51983/info


This configuration lets your web application to load resources and styles from its own domain plus scripts from http://apis.google.comhttps://js.live.net and https://www.google-analytics.com

 

CAPTCHA Configurations
Google CAPTCHA must be configured in SigningHub application to prevent brute force attack. This can be configured in SigningHub admin console under connectors and has to be set as default Google CAPTCHA under Global Settings.




See also