# Security Configuration
To make settings for:
Cross-Origin Resource Sharing(CORS)CookiesContent Security Policy(CSP)
go to admin snap-in General system configurations/System settings/Security.
# Cookies
| Field | Values | Description |
|---|---|---|
| Cookie HttpOnly |
| If set to true (default), cookies are can only be read with HTTP and are not readable by JavaScript (more details). |
| Cookie Secure |
| For a secure request, we recommend to set to false and use header X-Forwarded-Proto instead (more details). |
| Cookie SameSite |
| Defines whether cookies are readable from other websites (Information about SameSite (opens new window)). Please note: Value none only works with HTTPS ("Cookie Secure" should not have to be set to true though - more details). |
# Cookie HTTPOnly
Cookie HTTPOnly is set to true by default. Cookies can be read in a standard system only with HTTP, which is sufficient for a standard system.
Set "Cookie HttpOnly" to false if cookies must also be read with JavaScript.
Information about HTTPOnly (opens new window)
# Cookie Secure
For secure cookies, we now recommend the use of header X-Forwarded-Proto. Switch Cookie secure should then be set to false.
The information for access via HTTPS should be forwarded via the X-Forwarded-Proto header. To set the cookie attribute, isSecure of the HTTP request is used. For this, header X-Forwarded-Proto must be set by the load balancer/proxy.
Example:
E.g., for Apache, the header is enabled like this:
RequestHeader set X-Forwarded-Proto "https"
Please note: Do not set Cookie Secure to true in new installations and disable it in existing installations if possible.
(Information about Cookie Secure (opens new window))
# Cross-Origin Resource Sharing (CORS)
CORS is automatically active for your system URL. Direct access to your file system (e.g. to allow mounting for some plugins) is allowed by default.
Please note: Before starting System synchronization make sure to add the complete URL of the source system (including port) to "CORS allowed origins".
Information about CORS (opens new window)
| Field | Description |
|---|---|
| CORS allowed origins | Allows access for these origins. (more details). |
| CORS allowed methods | Allows access for these methods. |
| CORS allowed headers | List of allowed request headers. |
| CORS exposed headers | List of allowed response headers. |
| CORS max age | Configure how long in seconds the response from a pre-flight request can be cached by clients. |
# CORS Allowed Origins
Note that an origin for the external_url (with configured port), and a second one for the corresponding default http or https URL are generated at runtime:
external_url = http://test.4allportal.net:8181
generated origins:
* http://test.4allportal.net:8181
* https://test.4allportal.net
Add additional URLs if necessary (e.g. a SAML Asserting Party). It must match value of options request header. This means the URL must include the scheme (http/https) and port, if used.
Make sure that when you perform a system synchronization, you specify the full URL of the source system (including port).
# Content Security Policy (CSP)
Information about CSP (opens new window)
| Field | Description |
|---|---|
| Content Security Policy | All defined values will be set to header "Content-Security-Policy". If nothing is configured here, access is given e.g. to default-src 'self', frame-ancestors 'self' (more details), and the automatically created URLs like for CORS allowed origins.complete list of default values |
# CSP Default Values
In a default 4ALLPORTAL installation, the following values are set in field Content Security Policy:
default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self' data:;
connect-src 'self' http: https: ws: wss: ; img-src 'self' data: blob:; frame-ancestors 'self'
# frame-ancestors 'self'
In a default 4ALLPORTAL, value frame-ancestors 'self' is automatically added to the Content-Security-Policy header configuration. This security measure prohibits the possibility to have your 4ALLPORTAL (unknowingly) embedded to a website.
Admins must consider this if they want to embed the 4ALLPORTAL themselves or if they made a custom security configuration in the Security snap-in. Required actions are:
# Embed the 4ALLPORTAL
If you have not made any changes to the default Security settings so far, default value frame-ancestors 'self' will prohibit all embedding.
If you explicitly want to allow embedding, e.g. as an Iframe and/or if you use 4App Object Picker (4allportal-object_selection), you need to manually add the required website after frame-ancestors 'self' (including http/https and port, if required). Example: frame-ancestors 'self' https://customerwebsite.example.com.
# Custom Header Configuration
If you have any customization in your security configuration (e.g. added URLs to CORS, or an added website to CSP), value frame-ancestors 'self' is not automatically added after an upgrade or update.
If you want to prohibit the option to embed the 4ALLPORTAL to other websites, manually add value frame-ancestors 'self' to your Content Security Policy configuration.
Please note: Make sure you additionally add specific websites you explicitly allow embedding after frame-ancestors 'self' (including http/https and port, if required), e.g. if you use 4App Object Picker (4allportal-object_selection). Example: frame-ancestors 'self' https://customerwebsite.example.com.