Tenjin Icon

Securing Front Office

This article lists recommendations for securing your Front Office installation, including details about configuration settings required in different integration scenarios.

Please note the following prerequisites:

  1. You have Administrator access to the servers where Front Office is installed.
  2. Front Office is already installed and working as expected.

This article covers the following topics:

Standard Security Settings

Host Front Office Securely

Configure both Front Office components to be hosted securely within IIS, using HTTPS. More information can be found in the Front Office Administration Guide.

Enforce HTTPS Within Front Office

Using the Front Office installation file:

  1. Select “Configure Existing Front Office System” followed by “Edit Website Settings”.
  2. This will validate the Front Office installation, and once complete you can click “Next”.
  3. On the next screen, please make sure “Enforce HTTPS” is ticked.
  4. Once checked, click “Next” to complete the update.

Configure URL Redirect for HTTPS

After Front Office has been installed and “Enforce HTTPS” selected, please complete the optional steps
below to enable automatic redirection from HTTP URLs to HTTPS; there are two options:

  1. HTTP Strict Transport Security (HSTS) for IIS 10.0 Version 1709 and above
  2. Microsoft URL Rewrite extension for IIS 7 and above

HTTP Strict Transport Security (HSTS) for IIS 10.0 Version 1709 and above

Supported Windows Server versions: Windows Server 2022, Windows Server 2019.

Please note: by implementing HTTP Strict Transport Security at the default web site level, it will apply to
all websites hosted within IIS. If you only want the HTTP to HTTPS redirect to apply to a specific website,
please use the URL Rewrite extension option below.

  1. Launch IIS.
  2. Select “Default Web Site”
  3. In the bottom-right corner, you will find the Action pane, which contains a HSTS option under a
    Configure heading, as demonstrated below. Click the “HSTS...” link.

    blobid0.png
  4. The Edit Website HSTS screen allows you to set and configure a number of settings, including
    “Redirect HTTP to HTTPS”, as demonstrated below.
    blobid1.png
  5. To enable automatic redirects from HTTP to HTTPS, please make sure the “Enable” and
    “Redirect HTTP to HTTPS” options are ticked.
  6. Once you have confirmed your settings by clicking the “OK” button, your HSTS settings will be
    enabled at the Default Web Site level and apply to all websites.

Microsoft URL Rewrite extension for IIS 7 and above

Supported Windows Server versions: Windows Server 2022, Windows Server 2019, Windows Server
2016, Windows Server 2012 R2.

  1. Install the required URL Rewrite module by downloading it from Microsoft and accepting the
    default installation options: https://www.iis.net/downloads/microsoft/url-rewrite
  2. Launch your preferred text editing tool using ‘Run as Administrator’ and open <Install  Location>\WebSite\web.config
  3. Find the <system.webServer>section and paste the <rewrite> settings shown below into it.
     <configuration>
        <system.webServer>

          <rewrite>
             <rules>
                <rule name ='HTTPS Redirect" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                       <add input="{HTTPS}" pattern="^OFF$" />
                     </conditions>
                     <action type="Redirect" url="https://{HTTP_HOST}/{REQUEST_URI}"
           appendQueryString="false" />
                    </rule>
                   </rules>
                  </rewrite>

               </system.webServer>
             </configuration>

  4. Save your web.config file.

Front Office Hosting Examples

After Front Office is installed, it can be hosted in several different ways, which will have an impact on the security settings you require. We have listed a few different examples below along with their associated security recommendations. If you have a scenario that is not listed, please do not hesitate to contact the support team via https://frontofficehelp.biomni.com/hc/en-us/requests/new  for additional security recommendations.

Default Installation

Below are the security recommendations when Front Office is used as a standalone application using default settings.

  1. Navigate to <Install Location>\WebSite
  2. Open config using your preferred text editing tool, making sure it is opened using the ‘Run as Administrator’ command.
  3. Find the <customHeaders> section and add the X-Frame-Options and Content-Security-Policy settings as demonstrated below.

    <system.webServer>

      <httpProtocol>

        <customHeaders>

           <add name="X-Frame-options" value="SAMEORIGIN" />

           <add name="Content-Security-Policy" value="default-src 'self' 'unsafe-inline' 'unsafe-eval' https://fonts.gstatic.com" />

        </customHeaders>

      </httpProtocol>

    </system.webServer>

     

  4. Lastly, save your config file.

Front Office Embedded Within an IFrame on Another Website

Front Office is installed on its own domain but is being hosted within a third-party website, which means the end-user does not see the Front Office URLs. In this example, the third-party website’s URL is either https://www.example.com or a subdomain of example.com, and the recommended security settings are below.

  1. Navigate to <Install Location>\WebSite
  2. Open config using your preferred text editing tool, making sure it is opened using the ‘Run as Administrator’ command.
  3. Find the <customHeaders> section and add the Content-Security-Policy setting as demonstrated below.

    <system.webServer>

      <httpProtocol>

        <customHeaders>

            <add name="Content-Security-Policy" value="default-src 'self' 'unsafe-inline' 'unsafe-eval' https://fonts.gstatic.com; frame-ancestors 'self' https://*.example.com" />

        </customHeaders>

      </httpProtocol>

    </system.webServer>

  4. Lastly, save your config file.

We have intentionally not used the X-Frame-Options with ALLOW-FROM directive because it is now obsolete. Instead, Content-Security-Policy: frame-ancestors directive is used.

Front Office Utilizing Content from a Third-Party Website in a Front Office Iframe

Front Office is hosted on its own domain, which your users can see, but includes content from third-party websites displayed within an iframe in Front Office. In this example, the third-party website’s URL can be either https://www.example.com or a subdomain of example.com, and the recommended security settings are below.

  1. Navigate to <Install Location>\WebSite
  2. Open config using your preferred text editing tool, making sure it is opened using the ‘Run as Administrator’ command.
  3. Find the <customHeaders> section and add the Content-Security-Policy setting as demonstrated below.

    <system.webServer>

      <httpProtocol>

        <customHeaders>

            <add name="Content-Security-Policy" value="default-src 'self' 'unsafe-inline' 'unsafe-eval' https://fonts.gstatic.com; child-src 'self' https://*.example.com" />

        </customHeaders>

      </httpProtocol>
    </system.webServer>
  4. Lastly, save your config file.

Additional Information

A summary of the security headers listed in this document can be found below, including links to external sources containing more detailed information.

X-Frame-Options

The X-Frame-Options is used to prevent the site from clickjacking attacks, which tricks a user into clicking a webpage element which is invisible or disguised as another element. The X-Frame-Options header defines whether a browser should be allowed to render a page into other sites or within same site.

The possible values for X-Frame-Options are:

  • DENY: The page cannot be displayed in a frame, regardless of the site attempting to do so. (WE DO NOT RECOMMEND USING THIS SETTING)
  • SAMEORIGIN: The page can only be displayed in a frame on the same origin as the page itself.

More information about X-Frame-Options and its possible values can be found here:

Content-Security-Policy

The Content Security Policy (“CSP”) header defines content sources that are trusted and approved by the browser to load specific resources. The header also defines how loaded resources may behave. The header assists in defending against cross-site scripting (“XSS”) and other code execution attacks.

A CSP requires careful tuning, precise definition of the policy, and thorough testing once added. If enabled, CSP has a significant impact on the way browsers render pages (e.g., inline JavaScript is disabled by default and must be explicitly allowed in the policy).

There are different types of directives available that can be configured as part of this header:

  1. Fetch directives: Controls the locations that certain resource types may be loaded.
  2. Document directives: Governs the properties of a document or worker environment to which a policy applies.
  3. Navigation directives: Governs which locations a user can navigate or submit a form (for example).
  4. Reporting directives: Controls the reporting process of CSP violations.

More information about Content-Security-Policy and its possible values can be found here:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

 

Share this article

Comments

0 comments

Article is closed for comments.