How to Implement HTML5 Security Standard
Service Studio Version
11.11.4 (Build 43812)

Hi All,


I would like to reach out how do the cors HTTP headers should be configure. We are currently in process of security review and our InfoSec provided us that we need to update and implement HTML5 Security Standards.


Here is our current Header


Here is the recommendation that we need to implement as per our config above.

Note:

  • Validate URLs passed to XMLHttpRequest.open. Current browsers allow these URLs to be cross-domain and this behavior can lead to code injection by a remote attacker. Pay extra attention to absolute URLs.
  • URLs responding with Access-Control-Allow-Origin: * must not include any sensitive content or information that might aid attacker in further attacks. Use Access-Control-Allow-Origin header only on chosen URLs that need to be accessed cross-domain. Do not use the header for the whole domain.
  • When using Access-Control-Allow-Credentials: true response header, whitelist the allowed Origins and never echo back the Origin request header in Access-Control-Arrow-Origin. 
  • Allow only selected, trusted domains in Access-Control-Allow-Origin header. Whitelisting domains are preferable over blacklisting or allowing any domain. Do not use * wildcard nor blindly return the Origin header content without any checks.


If possible can anyone help me how to implement the above things like. sample line as I'm new in such configurations.


Thank you in advance.

I'm interested by this too :)


Any documentation on it?

mvp_badge
MVP

Hi,

Maybe this post helps.

Regards,

Daniel

Thank you for the link.


Now I'm on process of implementing the fixes. btw another thing was raised.

We need to replace the Cache-Control from private to no-cache. But when adding the Cache-Control in the web config. it only appends the Cache-Control value now its private, no-cache.


mvp_badge
MVP

I have replied to your other post here.

Regards,

Nordin

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.