Chat now with support
Chat mit Support

Identity Manager 9.3 - Web Application Configuration Guide

About this guide Managing the API Server Configuring API projects and web applications
General configuration Configuring the Administration Portal Configuring the Application Governance Module Configuring the Password Reset Portal Configuring the Web Portal
Configuring departments Configuring address books Ansichten konfigurieren Configuring application roles Configuring the Application Governance Module Configuring attestation Configuring authentication by accepting the terms of use Configuring request functions Configuring delegation Configuring your own API filter Configuring your own filters Configuring recommendations for adding entitlements to objects Configuring devices Configuring business roles Configuring the help desk module/tickets Configuring hyperviews Configuring identities Configuring password questions Configuring cost centers Configuring service items Program functions for the Web Portal Configuring software Configuring locations Configuring statistics Configuring system roles Skip table sorting Configuring team roles Configuring the four eyes principle for issuing a passcode. Configuring WebAuthn security keys
Configuring the Operations Support Web Portal
Recommendations for secure operation of web applications

Configuring Content Security Policy

The Content Security Policy enables you to effectively prevent cross-site scripting and other attacks aimed at infiltrating data into your web applications. You can customize the Content Security Policy settings at any time.

Required configuration keys:

  • Content security policy for HTML applications (ContentSecurityPolicy): Specifies which settings are transferred to the content-security-policy header and therefore apply to the Content Security Policy.

To configure Content Security Policy for all web applications

  1. Log in to the Administration Portal (see Logging in to the Administration Portal).

  2. In the navigation, click Configuration.

  3. On the Configuration page, in the Show configuration for the following API project drop-down, select the API Server API project.

  4. Expand the Content security policy for HTML applications configuration parameter.

  5. In the Value field, enter which settings are to be transferred to the content-security-policy header and therefore apply to the Content Security Policy.

  6. Click Apply.

  7. Perform one of the following actions:

    • If you want to apply the changes locally only, click Apply locally.

    • If you want to apply the changes globally, click Apply globally.

  8. Click Apply.

Configuring CORS (Cross-Origin Resource Sharing)

Configure Cross-Origin Resource Sharing (CORS) to enable browsers or web clients to provide API Server content.

Required configuration keys:

  • Allowed sources of requests for CORS(CorsOrigins): Specifies which sources are allowed to access resources on the API server for Cross-Origin Resource Sharing (CORS).

  • Maximum age of preflight requests for CORS (in seconds) (CorsMaxPreflightAgeSeconds): Specifies how many seconds CORS preflight requests (Cross-Origin Resource Sharing) are valid. The browser sends a preflight request to check whether the server allows a request. After the validity period has expired, the browser sends a new preflight request.

To configure CSP for all web applications

  1. Log in to the Administration Portal (see Logging in to the Administration Portal).

  2. In the navigation, click Configuration.

  3. On the Configuration page, in the Show configuration for the following API project drop-down, select the API Server API project.

  4. Expand the Allowed request origins for CORS configuration key.

  5. You can perform the following actions:

    • To add a source, click Add new and enter the source in the input field.

    • To change an existing source, change the source in the corresponding input field.

    • To remove an existing source, click on (delete) next to the corresponding source.

  6. Expand the Maximum age of preflight requests for CORS (in seconds) configuration key.

  7. In the Value input field, enter how many seconds CORS preflight requests (Cross-Origin Resource Sharing) are valid.

  8. Click Apply.

  9. Perform one of the following actions:

    • If you want to apply the changes locally only, click Apply locally.

    • If you want to apply the changes globally, click Apply globally.

  10. Click Apply.

Configuring cross-site request forgery (CSRF)

To protect yourself from cross-site request forgery (CSRF), you can set up different configurations.

Detailed information about this topic

Activating and deactivating cross-site request forgery protection

To control cross-site request forgery protection (CSRF) globally, activate or deactivate it.

NOTE: One Identity recommends having CSRF protection activated at all times. To simplify development and testing in their respective environments, you can deactivate CSRF protection, as no special CSRF tokens need to be generated or checked for each request.

Required configuration keys:

  • Globally disable CSRF protection tokens (XsrfProtectionDisabled): Specifies whether CSRF protection is activated or deactivated.

To activate or deactivate CRSF protection

  1. Log in to the Administration Portal (see Logging in to the Administration Portal).

  2. In the navigation, click Configuration.

  3. On the Configuration page, in the Show configuration for the following API project drop-down, select the API Server API project.

  4. Expand the Globally disable CSRF protection tokens configuration key.

  5. Perform one of the following actions:

    • To activate CSRF protection, clear the Globally disable CSRF protection tokens check box.

    • To deactivate CSRF protection, select the Globally disable CSRF protection tokens check box.

  6. Click Apply.

  7. Perform one of the following actions:

    • If you want to apply the changes locally only, click Apply locally.

    • If you want to apply the changes globally, click Apply globally.

  8. Click Apply.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen