Configure trusted origins - Fluid Topics - Latest

Fluid Topics Configuration and Administration Guide
Category
Reference Guides
Audience
public
Version
Latest

In the Security administration interface, users with the ADMIN role can define a list of trusted web origins that are allowed to call public Fluid Topics web services. A web origin is defined by a URL consisting of a scheme (protocol), a host (domain name), and optionally, a port.

Configuring trusted origins makes a tenant more secure in the following ways:

  • During the SSO authentication process, the urlAfterLogin parameters can only use trusted domains (in addition to the current "official" Fluid Topics domain from which the Fluid Topics portal is served).

  • The Cross-Origin Resource Sharing (CORS) policy of all public Fluid Topics web services is restricted to only trusted domains.

  • A frame-ancestors directive is generated for the Content-Security-Policy header (the modern replacement for the obsolete X-Frame-Options header).

To manage all sub-domains of a trusted domain easily, use a wildcard value (*) at the beginning of a domain name, as follows:

https://*.my-domain.com

This value defines the domain https://my-domain.com and all sub-domains (for example, https://foo.my-domain.com, https://bar.my-domain.com and https://foo.bar.baz.my-domain.com) as trusted domains.

It is highly recommended to set strict trusted origins. Limit the use of the wildcard value to internal domains.

OWASP compliance

The ability to configure trusted origins brings the Fluid Topics application into compliance with OWASP Secure Software Development Lifecycle Requirement #5.1.5.

Additionally, Fluid Topics includes the following headers in each web service call:

  • X-Content-Type-Options.

  • Strict-Transport-Security.

  • Referrer-Policy.

  • Content-Security-Policy.

The presence of these headers respects OWASP Secure Software Development Lifecycle Requirements #14.4.4, #14.4.5, #14.4.6, and #14.4.7.

The Content-Security-Policy header retrieves the values defined in the Trusted origins field, with the following behavior:

  • If the field is empty, the value in the header is set to self.

  • If the field contains a list of trusted origins, each appears in the header after self.

  • If the field contains a simple wildcard value (* by itself without any other text), the Content-Security-Policy header is absent and security is not optimal.