Securing SigningHub API
Securing cookies
To secure SigningHub cookies, uncomment the following code in [SigningHub-Installation-Dir]/api/web.config file:
<httpCookies httpOnlyCookies="true" requireSSL="true"/> |
It should only be enabled when SigningHub Admin is configured to run over SSL. |
'X-XSS-Protection' header
The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading, when they detect reflected cross-site scripting (XSS) attacks. This header is added by default in web.config.
Content Security Policy Header
This header helps to prevent code injection attacks like cross-site scripting and click-jacking by telling the browser which dynamic resources are allowed to load. The value of the Content-Security-Policy header is made up of x segments separated by a semicolon; self translates to the same origin as the HTML resource. With this minimum configuration, your HTML is allowed to fetch JavaScripts, stylesheets etc. from the same domain that served the HTML referencing of the resources. You won't be able to include external scripts from CDNs and similar.
This header is added in web.config and you need to change the SigningHub URLs accordingly:
<add name="Content-Security-Policy" value="default-src 'self' https://client.go-sign-desktop.com:8782/gosign-desktop ;connect-src 'self' https://dc.services.visualstudio.com/v2/track |
‘X-FRAME-OPTIONS’ Response Header
To restrict frameable response vulnerability. X-FRAME_OPTIONS can be set to ‘DENY’ in web.config. However, it is not recommended when SigningHub has to be used within IFrame.
<add name="X-Frame-Options" value="DENY" /> |
Cacheable HTTPS Response
To prevent sensitive information to be stored in browsers local cache, set no-cache option by adding following header under web.config.
<add name="Cache-Control" value="no-cache" /> |
This configuration lets your web application to load resources and styles from its own domain plus scripts from http://apis.google.com, https://js.live.net and https://www.google-analytics.com
See Also