Securing cookies

To secure SigningHub cookies, uncomment the following code in [SigningHub-Installation-Dir]/api/web.config file:

<httpCookies httpOnlyCookies="true" requireSSL="true"/>


Note that it should only be enabled when SigningHub is configured to run over SSL.

 

'X-XSS-Protection' header

The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading, when they detect reflected cross-site scripting (XSS) attacks. This header is added by default in web.config.

 

Content Security Policy Header

This header helps to prevent code injection attacks like cross-site scripting and click-jacking by telling the browser which dynamic resources are allowed to load. The value of the Content-Security-Policy header is made up of x segments separated by a semicolon; self translates to the same origin as the HTML resource. With this minimum configuration, your HTML is allowed to fetch JavaScripts, stylesheets etc. from the same domain that served the HTML referencing of the resources. You won't be able to include external scripts from CDNs and similar. 


This header is added in web.config and you need to change the SigningHub URLs accordingly:

<add name="Content-Security-Policy" value="default-src 'self' https://client.go-sign-desktop.com:8782/gosign-desktop ;connect-src 'self' https://dc.services.visualstudio.com/v2/track 
https://www.facebook.com/tr/ 
https://client.go-sign-desktop.com:8782/gosign-desktop 
https://graph.microsoft.com/v1.0/drive/items/ 
https://graph.microsoft.com/v1.0/me/drive/items/ 
https://client.go-sign-desktop.com:8782 
https://web.signinghub.com/adss/gosign/handler 
ws://web.signinghub.com/; child-src 'self' https://docs.google.com/picker 
https://client.go-sign-desktop.com:8782/gosign-desktop 
https://accounts.google.com https://www.google.com/ ; script-src 'self' 'unsafe-inline' 'unsafe-eval' 
https://www.googleadservices.com/pagead/conversion.js 
https://bat.bing.com/bat.js http://apis.google.com https://apis.google.com/js/api.js 
https://docs.google.com/picker https://js.live.net 
https://www.google-analytics.com https://client.go-sign-desktop.com:8782/gosign-desktop 
https://web.signinghub.com https://api.taxamo.com/js/v1/taxamo.all.js 
https://graph.microsoft.com/v1.0/me/drive/items/ 
https://www.gstatic.com/recaptcha/api2/; style-src 'self' 'unsafe-inline'; img-src 'self' * data: blob:;frame-src 'self' *;" />


‘X-FRAME-OPTIONS’ Response Header

To restrict frameable response vulnerability. X-FRAME_OPTIONS can be set to ‘DENY’ in web.config. However, it is not recommended when SigningHub has to be used within IFrame.

<add name="X-Frame-Options" value="DENY" />


Cacheable HTTPS Response

To prevent sensitive information to be stored in browsers local cache, set no-cache option by adding following header under web.config.

<add name="Cache-Control" value="no-cache" />


This configuration lets your web application to load resources and styles from its own domain plus scripts from http://apis.google.comhttps://js.live.net and https://www.google-analytics.com


See Also