Securing cookies

To secure SigningHub cookies, uncomment the following code in the [SigningHub-Installation-Dir]/web/web.config file:

<httpCookies httpOnlyCookies="true" requireSSL="true"/>


It should only be enabled when SigningHub Admin is configured to run over SSL.


'X-XSS-Protection' header

The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading, when they detect reflected cross-site scripting (XSS) attacks. This header is added by default in the web.config file.


HTTP Strict Transport Security (HSTS) header

The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) is a security feature that lets a website to tell browsers that it should only be communicated over HTTPS, instead of HTTP. 


To enable HSTS, add the following header in HTTP Response Headers of IIS against SigningHub Desktop Web website:

Strict-Transport-Security: max-age=<expire-time>; includeSubDomains

max-age


The time, in seconds, that a browser should remember that this site is only to be accessed using HTTPS e.g. 31536000.

includeSubDomains [Optional]

 

If this Optional parameter is specified, this rule applies to all of the site's sub-domains as well.

HTTP Public Key Pinning header

The HTTP Public-Key-Pins response header associates a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. If one or several keys are pinned and none of them is used by the server, the browser will not accept the response as legitimate, and will not display it. To enable Key Pinning, add the following header in HTTP Response Headers of IIS against SigningHub Desktop Web website:

Public-Key-Pins: pin-sha256="<pin-value>"; 

max-age=<expire-time>; 

includeSubDomains 

pin-sha256

 

The quoted string is the Base64 encoded Subject Public Key Information (SPKI) fingerprint. It is possible to specify multiple pins for different public keys. Some browsers might allow other hashing algorithms than SHA-256 in future.

max-age


The time, in seconds, that a browser should remember that this site is only to be accessed using one of the defined keys e.g. 31536000.

includeSubDomains [Optional]

 

If this Optional parameter is specified, this rule applies to all of the site's sub domains as well.

 

TLS Fallback SCSV

To work around interoperability problems with legacy servers, many TLS client implementations do not rely on the TLS protocol version negotiation mechanism alone. They will intentionally reconnect using a downgraded protocol if initial handshake attempts fail.  Such clients may fallback to connections in which they announce a version as low as TLS 1.0 (or even its predecessor, Secure Socket Layer (SSL) 3.0) as the highest supported version. To avoid the TLS Fallback SCSV attacks, it is recommended to disable all TLS protocols except TLS 1.2. Click here for instructions to disable the weak protocols.

SSL Medium Strength Cipher Suites 

SigningHub does not use the Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES), so you can disable them to avoid any misuse. Click here for instructions to disable the weak or medium ciphers.

 

Hiding Application Errors and Server Information

Printing of an exception in browser, server OS information, application data or version number can be of great value for an attacker. By default this is turned off to help troubleshooting errors, however when deployed in production then this should be turned on. It can be turned on by setting customErrors="On" in [SigningHub-Installation-Dir]/web/web.config.

 

Content Security Policy Header

This header helps to prevent code injection attacks like cross-site scripting and click-jacking by telling the browser which dynamic resources are allowed to load. The value of the Content-Security-Policy header is made up of x segments separated by a semicolon; self translates to the same origin as the HTML resource. With this minimum configuration, your HTML is allowed to fetch JavaScripts, stylesheets, etc. from the same domain that served the HTML referencing of the resources. You won't be able to include external scripts from CDNs and similar. This header is added in web.config and you need to change the SigningHub URLs accordingly:

<add name="Content-Security-Policy" value="default-src 'self' https://client.go-sign-desktop.com:8782/gosign-desktop;connect-src 'self' 
https://graph.microsoft.com/v1.0/me?%24select=mySite 
https://dc.services.visualstudio.com/v2/track https://www.facebook.com/tr/ https://client.go-sign-desktop.com:8782/gosign-desktop https://graph.microsoft.com/v1.0/drive/items/ https://graph.microsoft.com/v1.0/me/drive/items/ https://client.go-sign-desktop.com:8782 https://web.signinghub.com/adss/gosign/handler ws://web.signinghub.com/ https://accapim.t1t.be:443 https://localhost:10443/v2/; child-src 'self' https://docs.google.com/picker https://client.go-sign-desktop.com:8782/gosign-desktop https://accounts.google.com https://www.google.com/; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.googleadservices.com/pagead/conversion.js https://bat.bing.com/bat.js http://apis.google.com https://apis.google.com/js/api.js https://docs.google.com/picker https://js.live.net https://www.google-analytics.com https://client.go-sign-desktop.com:8782/gosign-desktop https://web.signinghub.com https://api.taxamo.com/js/v1/taxamo.all.js https://graph.microsoft.com/v1.0/me/drive/items/ https://www.gstatic.com/recaptcha/api2/; style-src 'self' 'unsafe-inline'; img-src 'self' * data: blob:;frame-src 'self' *;" />


Add the following URLs in connect-src for Belgian eID Card, in addition to the above CSP headers:

https://client.localmiddleware.be:20202/status 
https://client.localmiddleware.be:20202/events 
https://client.localmiddleware.be:20202/session 
https://client.localmiddleware.be:20202/eID/signingSession 
https://client.localmiddleware.be:20202/eID/id 
https://client.localmiddleware.be:20202/eID/nonRepudiationCertificate 
https://client.localmiddleware.be:20202/eID/citizenCertificate 
https://client.localmiddleware.be:20202/eID/rootCertificate 
https://client.localmiddleware.be:20202/eID/signRsa


Add the following URLs in child-src and the last one in script-src for Stripe, in addition to the above CSP headers:

https://api.taxamo.com/
https://c.taxamo.com/
https://api.taxamo.com/js/v1/taxamo.all.js


Add the following URLs in connect-src for T1C signing, in addition to the above CSP headers:

https://accapim.t1t.be:443 https://localhost:10443/v2/


This configuration lets your web application to load resources and styles from its own domain plus scripts from http://apis.google.comhttps://js.live.net and https://www.google-analytics.com

 

Referrer Policy Header

Browsers automatically add the Referrer header, when a user clicks a link on your site. This means that a linked website will be able to see where the users are coming from. While this is a great feature for Analytics, you may have sensitive information in your URLs which you don't want to forward to other domains. To remove the referrer entirely, add the following header in web.config:

<add name="Referrer-Policy" value=" origin" />


‘X-FRAME-OPTIONS’ Response Header

To restrict frameable response vulnerability. X-FRAME_OPTIONS can be set to ‘DENY’ in web.config. However, it is not recommended when SigningHub has to be used within IFrame.

<add name="X-Frame-Options" value="DENY" />


Cacheable HTTPS Response

To prevent sensitive information to be stored in browsers local cache, set no-cache option by adding following header under web.config.

<add name="Cache-Control" value="no-cache" />


CAPTCHA Configurations
Google CAPTCHA must be configured in SigningHub application to prevent brute force attack. This can be configured in SigningHub admin console under connectors and has to be set as default Google CAPTCHA under Global Settings.



See Also