By default, Web Interface users connect to the Web Interface using an HTTP transport, which does not encrypt the data transferred from a Web browser to the Web Interface. To use a secure transport for transferring data to the Web interface, it is recommended to use an HTTPS transport.
The secure hypertext transfer protocol (HTTPS) uses Secure Sockets Layer (SSL) provided by the Web server for data encryption. For instructions on how to enable SSL on your Web server, see https://support.microsoft.com/en-in/help/324069/how-to-set-up-an-https-service-in-iis.
Any Web interface is prone to security issues such as Cross-Site Request Forgery (CSRF) and Cross-site Scripting (XSS ) attacks. To prevent and protect against such attacks Active Roles can now be configured to enable CSRF and XSS for the Web interface.
Cross-Site Request Forgery (CSRF) attacks can force users to execute unwanted actions on the Active Roles web application in which they are currently authenticated. To prevent CSRF requests Active Roles must be enabled to use Anti Forgery protections.
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Hence, any script that is sent to Active Roles must be validated for malicious content before accepting and executing the script. To perform the script validation XSS must be enabled for Active Roles.
To configure keys in the Web interface
- From Windows Run, open IIS and Expand Default Website.
- Click the Active Roles Application.
NOTE:ARWebAdmin is the default Active Roles application. - In the right pane, in the Configuration Editor, from the Section drop-down menu, select <Settings>.
- Click on the button corresponding (Count=*), and click Add in the right Pane.
- Enter the following values:
- Key: "<keyname>"
- Value: "<value>"
- Close the window and click Apply under Actions menu in the right pane.
- Restart the App pool.
