Securing cookies

'X-XSS-Protection' header

The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading, when they detect reflected cross-site scripting (XSS) attacks. This header is added by default in web.config.

 

Content Security Policy Header

This header helps to prevent code injection attacks like cross-site scripting and click-jacking by telling the browser which dynamic resources are allowed to load. The value of the Content-Security-Policy header is made up of x segments separated by a semicolon; self translates to the same origin as the HTML resource. With this minimum configuration, your HTML is allowed to fetch JavaScripts, stylesheets etc. from the same domain that served the HTML referencing of the resources. You won't be able to include external scripts from CDNs and similar. This header needs to be added to SigningHub Admin and you need to change the SigningHub URLs accordingly:

<add name="Content-Security-Policy" value="default-src 'self' https://client.go-sign-desktop.com:8782/gosign-desktop ;connect-src 'self' https://dc.services.visualstudio.com/v2/track
https://www.facebook.com/tr/
https://client.go-sign-desktop.com:8782/gosign-desktop
https://graph.microsoft.com/v1.0/drive/items/
https://graph.microsoft.com/v1.0/me/drive/items/
https://client.go-sign-desktop.com:8782
https://web.signinghub.com/adss/gosign/handler
ws://web.signinghub.com/; child-src 'self' https://docs.google.com/picker
https://client.go-sign-desktop.com:8782/gosign-desktop
https://accounts.google.com https://www.google.com/ ; script-src 'self' 'unsafe-inline' 'unsafe-eval'
https://www.googleadservices.com/pagead/conversion.js
https://bat.bing.com/bat.js http://apis.google.com https://apis.google.com/js/api.js
https://docs.google.com/picker https://js.live.net
https://www.google-analytics.com https://client.go-sign-desktop.com:8782/gosign-desktop
https://web.signinghub.com https://api.taxamo.com/js/v1/taxamo.all.js
https://graph.microsoft.com/v1.0/me/drive/items/
https://www.gstatic.com/recaptcha/api2/; style-src 'self' 'unsafe-inline'; img-src 'self' * data: blob:;frame-src 'self' *;" />


‘X-FRAME-OPTIONS’ Response Header

To restrict frameable response vulnerability. X-FRAME-OPTIONS can be set to ‘DENY’ in web.config. However, it is not recommended when SigningHub has to be used within IFrame.

<add name="X-Frame-Options" value="DENY" />



Cacheable HTTPS Response

To prevent sensitive information to be stored in browsers local cache, set no-cache option by adding following header under web.config.

<add name="Cache-Control" value="no-cache" />


This configuration lets your web application to load resources and styles from its own domain plus scripts from http://apis.google.comhttps://js.live.net and https://www.google-analytics.com