Skip to main content

Securing Your CentreStack Installation Against Cross-Origin Scripting Attacks in IIS

Valter Koike
Updated

This article explains how to tighten your CentreStack security by setting the root CentreStack web application with a strict CORS policy. CORS stands for Cross-Origin Resource Sharing and is a web server mechanism that allows you to specify the domains that can consume your web resources via AJAX or fetch. This is especially useful if you want to restrict access to the CentreStack REST API.

The setup is extremely simple.

Step 1: Install the CORS IIS module on your CentreStack node:

https://www.iis.net/downloads/microsoft/iis-cors-module

Step 2: Make a backup of the web.config of your root web application. This is usually located in the following directory, but may be in a different location if your CentreStack is branded.

C:\Program Files (x86)\Gladinet Cloud Enterprise\root\web.config

Step 3: Open the web.config with a pure text editor, such as notepad. Insert the following XML as sub-nodes of the <system.webServer> (located towards the bottom of the file). Customize the URLs (http://allowedwebsiteX.example.com) to match your needs. You can also remove allowed methods and add/remove origins:

 <cors enabled="true">

    <add origin="*" allowed="false"/>

    <add origin="http://allowedwebsite1.example.com" allowCredentials="false" maxAge="120">
       <allowMethods>
          <add method="GET" />
          <add method="HEAD" />
          <add method="POST" />
          <add method="PUT" /> 
          <add method="DELETE" /> 
       </allowMethods>
    </add>

    <add origin="http://allowedwebsite2.example.com" allowCredentials="false" maxAge="120">
       <allowMethods>
          <add method="GET" />
          <add method="HEAD" />
          <add method="POST" />
          <add method="PUT" /> 
          <add method="DELETE" /> 
       </allowMethods>
    </add>

 </cors>

CORS Module full documentation:

https://docs.microsoft.com/en-us/iis/extensions/cors-module/cors-module-configuration-reference#cors-configuration

Step 4: To test CORS access, try to make an AJAX or Fetch call to an API endpoint or test page in CentreStack. Make one call from an allowed domain and another from a domain that is not specified in the web.config.

Here is what the Edge browser console looks like when the request succeeds:

mceclip0.pngHere is the same request made from a website that was not in the list of allowed origins:

mceclip1.png

Please contact us a ticket@gladinet.com if you have any issues.

 

Related articles

Comments

0 comments

Article is closed for comments.