# Securing SigningHub Desktop Web

***

## Excluding API Response Headers

To allow SigningHub Web to insert its own response headers instead of relying on those coming from the API server, specific headers can be excluded using the following configuration in **appsettings.Production.json**:

```json
"Headers": {
  "Excluded": [
    "Transfer-Encoding",
    "Date",
    "Server"
  ]
}
```

When defined, the listed headers are removed from the API response before reaching the client. This allows the SigningHub Web frontend to apply its own headers as needed.

This configuration is intended for internal use only. By default, SigningHub Web automatically adds the excluded headers (`Transfer-Encoding`, `Date`, and `Server`) to maintain expected behavior and compliance across environments.

***

## Disable Enforced HTTPS Redirection

If you want to use HTTP instead of HTTPS, the following configurations are required:

Set the value for the `https_redirect` tag in the **appsettings.Production.json** file to false.

```json
"https_redirect":  {
  "enabled":  "false"}
```

***

## **Cross-Site Request Forgery (CSRF)**

The SigningHub implements an anti-forgery token to protect your application from CSRF attacks. The SigningHub implements this in the application by default, and no configurations are required.

***

## **CORS Policy**

The Signinghub implements CORS policies to control how the resources are accessed from external domains. By default, everything is allowed, but it can be configured in **appsettings.Production.json** in the following section:

```json
"Cors": {
  "Policy": "AllowAll",
  "Headers": "*",
  "AllowedOrigins": "*"}
```

For "`AllowedOrigins`" , set the value of origins, e.g. "<https://example.com>". The SigningHub Web would only be accessible from the origins mentioned in the list. If it's not present, then SigningHub will work as of today and allow all origins by default.

***

## **HTTP Strict Transport Security (HSTS)**

Signinghub implements HSTS to protect from protocol downgrade attacks and cookie hijacking by ensuring that browsers only communicate with the server over HTTPS. The following configurations can be set in **appsettings.Production.json** accordingly, and **`ExcludedHosts`** can be set explicitly as per need:

```json
"Hsts": {
  "Preload": "true",
  "IncludeSubDomains": "true",
  "MaxAge": "60",
  "ExcludedHosts": ""}       (Optional)
```

If this **Optional** parameter is specified, this rule applies to all of the site's sub-domains as well.

***

## **HTTP Public Key Pinning header**

The HTTP Public-Key-Pins response header associates a specific cryptographic public key with a particular web server to reduce the risk of MITM attacks involving forged certificates. If one or several keys are pinned and none of them is used by the server, the browser will not accept the response as legitimate and will not display it. To enable Key Pinning, add the following header in the HTTP Response Headers of IIS against the SigningHub Desktop Web website:

```http
Public-Key-Pins: 
  pin-sha256="<pin-value>";  
  max-age=<expire-time>; 
  includeSubDomains
  pin-sha256
```

`pin-sha256`: The quoted string is the **Base64** encoded **Subject Public Key Information (SPKI)** fingerprint. It is possible to specify multiple pins for different public keys. Some browsers might allow other hashing algorithms than **SHA-256** in future.\
\
`max-age`: The time, in seconds, that a browser should remember that this site is only to be accessed using one of the defined keys, e.g. 31536000.

`includeSubDomains`: If this **Optional** parameter is specified, this rule applies to all of the site's subdomains as well.

***

## **TLS Fallback SCSV**

To work around interoperability problems with legacy servers, many TLS client implementations do not rely on the TLS protocol version negotiation mechanism alone. They will intentionally reconnect using a downgraded protocol if initial handshake attempts fail.  Such clients may fall back to connections in which they announce a version as low as TLS 1.0 (or even its predecessor, Secure Socket Layer (SSL) 3.0) as the highest supported version. To avoid the TLS Fallback SCSV attacks, it is recommended to disable all TLS protocols except TLS 1.2. [Click here](https://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html) for instructions to disable the weak protocols.\
&#x20;

***

## **SSL Medium Strength Cipher Suites**&#x20;

SigningHub does not use the Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES), so you can disable them to avoid any misuse. [Click here](https://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html) for instructions to disable the weak or medium ciphers.

***

## **Hiding application errors and server information**

Printing of an exception in the browser, server OS information, application data, or version number can be of great value for an attacker. By default, this is turned off to facilitate troubleshooting errors; however, when deployed in production, it should be turned on. It can be turned on by setting "DetailedErrors": true in the **appsettings.Production.json**.

***

## **Content Security Policy Header**

This header helps to prevent code injection attacks like cross-site scripting and clickjacking by telling the browser which dynamic resources are allowed to load. The value of the Content-Security-Policy header is made up of x segments separated by a semicolon; self translates to the same origin as the HTML resource. With this minimum configuration, your HTML is allowed to fetch JavaScripts, stylesheets, etc. from the same domain that served the HTML referencing the resources. You won't be able to include external scripts from CDNs and similar. This header is added in SigningHub Admin>Configurations>Global Settings>Content Security Policy,, and you need to change the SigningHub URLs accordingly:

{% code overflow="wrap" %}

```http
object-src 'none';

script-src 'strict-dynamic'
    'self'
    https://www.dropbox.com
    [ADSS_URL]/adss/gosign/
    https://seal.globalsign.com/SiteSeal/
    https://az416426.vo.msecnd.net/
    https://googleads.g.doubleclick.net
    https://www.googleadservices.com
    https://www.googletagmanager.com
    https://bat.bing.com
    https://az416426.vo.msecnd.net
    https://www.google.com/recaptcha
    https://www.google.com/recaptcha/api.js
    https://www.gstatic.com/recaptcha/
    http://apis.google.com
    https://docs.google.com/picker
    https://js.live.net
    https://www.google-analytics.com
    https://client.go-sign-desktop.com:8782/gosign-desktop
    https://graph.microsoft.com/v1.0/drive/items/
    https://api.taxamo.com/js/v1/taxamo.all.js
    [API_URL]
    [WEB_URL];

style-src
    'self';

img-src
    'self'
    [API_URL]
    [WEB_URL]
    data:
    blob:;

font-src
    'self'
    https://fonts.gstatic.com/
    data:;

connect-src
    'self'
    https://t1c.t1t.io:58937/
    https://t1c.t1t.io:51883/v3/
    https://t1c.t1t.io:51883/
    https://t1c.t1t.io:58937/v3/
    https://www.google-analytics.com
    https://beta10.demo.signinghub.com/
    https://65.52.68.199:8778/adss/gosign/handler
    https://test.eideasy.com/api/
    https://id.eideasy.com/api/
    https://app.powerbi.com
    https://stats.g.doubleclick.net
    https://graph.microsoft.com/v1.0/
    https://dc.services.visualstudio.com/v2/track
    https://graph.microsoft.com/v1.0/drive/items
    https://client.go-sign-desktop.com:8782
    https://web.signinghub.com/adss/gosign/handler
    https://client.go-sign-desktop.com:8782/gosign-desktop
    https://graph.microsoft.com/v1.0/me/drive/items/
    [API_URL]
    [WEB_URL];

child-src
    'self'
    https://docs.google.com/picker
    https://client.go-sign-desktop.com:8782/gosign-desktop
    https://accounts.google.com
    https://api.taxamo.com/
    https://t1c.t1t.io:58937/
    https://t1c.t1t.io:51883/v3/
    https://t1c.t1t.io:51883/
    https://t1c.t1t.io:58937/v3/
    https://c.taxamo.com/
    https://p.taxamo.com/
    https://www.google.com/
    https://t1c.t1t.io
    https://acc-ds.t1t.io/v3/tokens/application;

frame-src
    https://api.taxamo.com/
    https://p.taxamo.com/
    https://app.powerbi.com/;

frame-ancestors
    [WEB_URL];

base-uri
    'self';
```

{% endcode %}

{% hint style="info" %}

1. Please update the below-mentioned placeholders in the CSP header:  \[API\_URL] \[WEB\_URL] \[ADSS\_URL]    (This is for local-side signing using ADSS Go>Sign)
   {% endhint %}

{% hint style="info" %}

1. Add the following URLs in connect-src for Belgian eID Card, in addition to the above CSP headers: \
   \
   `https://client.localmiddleware.be:20202/version  https://client.localmiddleware.be:20202/status  https://client.localmiddleware.be:20202/events  https://client.localmiddleware.be:20202/session  https://client.localmiddleware.be:20202/eID/signingSession  https://client.localmiddleware.be:20202/eID/id  https://client.localmiddleware.be:20202/eID/nonRepudiationCertificate  https://client.localmiddleware.be:20202/eID/citizenCertificate  https://client.localmiddleware.be:20202/eID/rootCertificate  https://client.localmiddleware.be:20202/eID/signRsa`
   {% endhint %}

{% hint style="info" %}

1. Add the following URLs in child-src and the last one in script-src for Stripe, in addition to the above CSP headers:  \
   \
   `https://api.taxamo.com/` \
   `https://c.taxamo.com/` \
   `https://p.taxamo.com/` \
   `https://api.taxamo.com/js/v1/taxamo.all.js`
   {% endhint %}

{% hint style="info" %}

1. Add the following URLs in connect-src for T1C signing, in addition to the above CSP headers:  \
   \
   `https://t1c.t1t.io`  \
   `https://t1c.t1t.io:51983/info`
   {% endhint %}

This configuration lets your web application load resources and styles from its own domain, and scripts from [http://apis.google.com](http://apis.google.com/), [https://js.live.net](https://js.live.net/) and [https://www.google-analytics.com](https://www.google-analytics.com/)

{% hint style="info" %}

1. The domain(s) added under the `frame-ancestors`  are allowed to embed the Document Viewer within the iframe. Only the specified domains would be able to embed the Document Viewer within the iframe. Leaving this tag blank will allow all the domains to embed the Document Viewer.
   {% endhint %}

## **CAPTCHA configurations**

Google CAPTCHA must be configured in the SigningHub application to prevent brute force attacks. This can be configured in the SigningHub admin console under connectors and has to be set as the default Google CAPTCHA under Global Settings.

***

## Enabling HTTP/2

To improve performance and security, SigningHub Web can be configured to use **HTTP/2**. This is supported on IIS 10 and above running on Windows Server 2016 or later.

1. Open **IIS Manager**.
2. Navigate to your **SigningHub website**.
3. Select **Bindings** from the **Actions** pane.
4. Edit the site’s **HTTPS binding** and ensure an SSL certificate is configured.
5. Verify that the option **Disable HTTP/2** is **unchecked**.

<div data-full-width="false"><figure><img src="https://1786763272-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGv9Dij6knpvpdpZGjJ2i%2Fuploads%2FVJXiJ0Ns3x69GRcYUj1y%2Fimage.png?alt=media&#x26;token=dadac31a-8ec5-4aa2-9871-ec3726e60ee3" alt=""><figcaption></figcaption></figure></div>

Once configured, SigningHub will automatically use HTTP/2 for all supported browsers.