Configure trusted origins - Fluid Topics

Configure trusted origins - Fluid Topics - 3.9

Fluid Topics Configuration and Administration Guide

Category

Reference Guides

Audience

public

Version

3.9

In the Security administration interface, users with the ADMIN role can define a list of trusted web origins that are allowed to call public Fluid Topics web services. A web origin is defined by a URL consisting of a scheme (protocol), a host (domain name), and optionally, a port.

Configuring trusted origins makes a tenant more secure in the following ways:

During the SSO authentication process, the urlAfterLogin parameters are restricted to only trusted domains (in addition to the current "official" Fluid Topics domain from which the Fluid Topics portal is served).
The Cross-Origin Resource Sharing (CORS) policy of all public Fluid Topics web services is restricted to only trusted domains.
A frame-ancestors directive is generated for the Content-Security-Policy header (the modern replacement for the obsolete X-Frame-Options header).

In order to easily manage all sub-domains of a trusted domain, it is possible use a wildcard value (*) at the beginning of a domain name as follows:

https://*.my-domain.com

This value defines the domain https://my-domain.com and all sub-domains (for example, https://foo.my-domain.com, https://bar.my-domain.com and https://foo.bar.baz.my-domain.com) as trusted domains.

Fluid Topics v3.9.14 introduces an improvement where the Trusted origins field is empty by default for new tenants. This prevents all third-party integrations from calling public Fluid Topics web services. To enable a third-party integration, it is necessary to add it to the list of trusted domains.

For tenants configured before the release of v3.9.14, the Trusted origins field contains a simple wildcard value (* by itself without any other text) by default, which means that all domains are considered trustworthy. It is highly recommended to modify the default setting in order to use Fluid Topics securely. This can be achieved by configuring one or more trusted origins, or by deleting the asterisk and leaving the field empty to prevent all third-party integrations from calling public Fluid Topics web services.

OWASP compliance

The ability to configure trusted origins brings the Fluid Topics application into compliance with OWASP Secure Software Development Lifecycle Requirement #5.1.5.

Additionally, Fluid Topics includes the following headers in each web service call:

X-Content-Type-Options.
Strict-Transport-Security.
Referrer-Policy.
Content-Security-Policy.

The presence of these headers respects OWASP Secure Software Development Lifecycle Requirements #14.4.4, #14.4.5, #14.4.6, and #14.4.7.

The Content-Security-Policy header retrieves the value(s) defined in the Trusted origins field, with the following behavior:

If the field is empty, the value in the header is set to self.
If the field contains a list of trusted origins, each appears in the header after self.
If the field contains a simple wildcard value (* by itself without any other text), the Content-Security-Policy header is absent and security is not optimal.