3.9 Configuring Security Settings

This section discusses various security settings available in SSPR.

To configure security settings, perform the following steps:

  1. In Configuration Editor, click Settings > Security.

  2. Click View > Always Show Advanced Settings to see and configure the advanced settings.

  3. Configure the settings:

    Field

    Description

    Security Key

    A security key is used for tokens and other crypto functions. This setting is applicable if you have configured Crypto Token Storage Method.

    You must set a random security value for the tokens to function.

    Click Set Password to configure this. This value must be at least 32 characters. The longer and more random this value, the more secure it is. If multiple instances are in use, you should configure each instance with the same value.

    Enable Session Verification

    Select this check box to allow sessions verification by using a session verification key and a redirect. This verification proves the following:

    • The browser can correctly establish a session with the server.

    • The browser either supports cookies or URL sessions (if enabled)

    • The communication channel between browser and application server is sticky when there are multiple server instances

    It helps prevent some types of XSS attacks.

    Require HTTPS

    Select this check box to HTTPS (instead of cleartext HTTP) traffic to the application server. Non-secure connections are useful during testing. Production servers should always have this setting enabled.

    Show Detailed Error Message

    Select this check box to show detailed error messages. This setting is useful for administrators especially during configuration.

    SSO Authentication Header Name

    Select this check box to allow auto login providing only username, a password is not required. This setting controls the name of the HTTP header. For certain functionalities, user is prompted to enter the password.

    Redirect Whitelist

    Specify the list of URL fragments. These URL fragments are allowed for URL forwarding. In an application you can provide a link to redirect the user to a particular webpage with the URL fragment that is defined in the whitelist. The URL forwarding will follow the following criteria:

    • The forwarding URL from a webpage must match the complete URL fragment that is listed in the whitelist.

    • The forwarding URL is decoded and processed before it is matched against the whitelist.

    • The Forwarding URL must have the fragment with the same spelling, wildcards and case, as it is mentioned in the URL fragments listed in the whitelist.

    • If a fragment has the prefix regex, the remaining part of the fragment is treated as a regular expression and it must match the entire URL.

    Enable Back Button Detection (Advanced)

    Select this check box to detect the use of back button or other browser navigation irregularities. This option prevents duplicate HTTP form submissions.

    Enable Form Nonce

    Select this check box to ask for a form nonce for each form in SSPR to prevent certain types of cross-site scripting (XSS) attacks.

    Disallowed HTTP Inputs

    Specify the input value. If any input value (on any http parameter) matches these patterns, the matching portion will be stripped from the input.

    Force Basic Authentication

    Select this check box to hide the form page from un-authenticated users.

    Use X-Forwarded-For Header

    Use the X-Forwarded-For HTTP header value as the client IP address instead of the source IP address of the HTTP connection. X-Forwarded-For header is typically added by upstream proxies or firewalls and is a reliable way to identify the user's source IP address.

    Enable Reverse DNS

    Select this check box to use the system's reverse DNS system for recording the hostname of the client. In some cases, this can cause performance issues. Disable it if it is not required.

    Allow Roaming Source Network Address (Advanced)

    Select this check box to allow a single HTTP session to be accessed from different source IP addresses. Some load balancing/proxy network infrastructures require this setting, but in most cases this option must be deselected.

    Required HTTP Headers (Advanced)

    Specify the required HTTP header name and value pairs. If specified, any HTTP request sent to the server must have these headers. This feature is useful if you have a security gateway and want to allow sessions from the gateway.

    The format of this setting must be "name=value".

    Permitted IP Network Addresses (Advanced)

    Specify the IP address ranges that permits only the connections that originated from those addresses. If no value is specified, any source address is permitted.

    Maximum Session Duration (Advanced)

    Specify the maximum duration of a session (in seconds).

    Prevent HTML Framing (Advanced)

    De-select this option to allow users to view SSPR in an inline frame for any application that includes the iframe html source code.

    If you select this option, SSPR is not included in the specified iFrame for the application.

  4. Click Actions > Save.