Securing SigningHub Admin

'X-XSS-Protection' header

The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. This header is now added by default in the application, and no additional configuration is needed.

Enforce HTTPS

SigningHub Admin enforces HTTPS to encrypt data transmitted between the client and server. The SigningHub configures this in the application itself, and no other configuration is required.

Excluding API Response Headers

To allow SigningHub Admin to insert its own response headers instead of relying on those coming from the API server, specific headers can be excluded using the following configuration in appsettings.Production.json:

"Headers": {
  "Excluded": [
    "Transfer-Encoding",
    "Date",
    "Server"
  ]
}

When defined, the listed headers are removed from the API response before reaching the client. This allows the SigningHub Admin frontend to apply its own headers as needed.

This configuration is intended for internal use only. By default, SigningHub Admin automatically adds the excluded headers (Transfer-Encoding, Date, and Server) to maintain expected behaviour and compliance across environments.

CORS Policy

Signinghub implements CORS policies to control how the resources are accessed from external domains. By default, everything is allowed, but it can be configured in appsettings.Production.json in the following section:

"Cors": {
  "Policy": "AllowAll",
  "Headers": "*",
  "AllowedOrigins": "*"}

For "AllowedOrigins" , set the value of origins, e.g. "https://example.com". The SigningHub Web would only be accessible from the origins mentioned in the list. If it's not present, then SigningHub will work as of today and allow all origins by default.

HTTP Strict Transport Security (HSTS)

Signinghub implements HSTS to protect from protocol downgrade attacks and cookie hijacking by ensuring that browsers only communicate with the server over HTTPS. The following configurations can be set in appsettings.Production.json accordingly, and ExcludedHosts can be set explicitly as per need:

"Hsts": {
  "Preload": "true",
  "IncludeSubDomains": "true",
  "MaxAge": "60",
  "ExcludedHosts": ""}       (Optional)

If this Optional parameter is specified, this rule applies to all of the site's sub-domains as well.

TLS Fallback SCSV

To work around interoperability problems with legacy servers, many TLS client implementations do not rely on the TLS protocol version negotiation mechanism alone. They will intentionally reconnect using a downgraded protocol if initial handshake attempts fail. Such clients may fall back to connections in which they announce a version as low as TLS 1.0 (or even its predecessor, Secure Socket Layer (SSL) 3.0) as the highest supported version. To avoid the TLS Fallback SCSV attacks, it is recommended to disable all TLS protocols except TLS 1.2. Click here for instructions to disable the weak protocols.

SSL Medium Strength Cipher Suites

SigningHub does not use the Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES), so you can disable them to avoid any misuse. Click here for instructions to disable the weak or medium ciphers.

Hiding application errors and server information

Printing of an exception in the browser, server OS information, application data, or version number can be of great value for an attacker. By default, this is turned off to facilitate troubleshooting errors; however, when deployed in production, it should be turned on. It can be turned on by setting "DetailedErrors": true in the appsettings.Production.json.

Content Security Policy Header

This header helps to prevent code injection attacks like cross-site scripting and clickjacking by telling the browser which dynamic resources are allowed to load. The value of the Content-Security-Policy header is made up of x segments separated by a semicolon; self translates to the same origin as the HTML resource. With this minimum configuration, your HTML is allowed to fetch JavaScripts, stylesheets, etc. from the same domain that served the HTML referencing the resources. You won't be able to include external scripts from CDNs and similar. This header is added in SigningHub Admin>Configurations>Global Settings>Content Security Policy, and you need to change the SigningHub URLs accordingly:

form-action 'none';
base-uri 'self';
frame-ancestors 'none';

default-src
    'self'
    https://app.powerbi.com/;

style-src
    'self'
    'unsafe-inline';

img-src
    'self'
    data:
    blob:;

object-src
    'none';

script-src
    'self';