Edit online

Configuring Security Settings

Oxygen XML Web Author includes a built-in mechanism for restricting outgoing network connections. There is a Security tab in the Administration Page that provides options for handling security-related features, including an option for specifying trusted code locations and a firewall option where you can choose to restrict access to hosts that are not specified as being trusted.

Security Options

The Security tab in the Administration Page includes a Security Options section with the following options:

Security Options

Application authentication provider: Use this option to activate application-level authentication to only allow authenticated users access to the application. This will significantly enhance the application's security, protecting against potential attacks (e.g. denial-of-service attacks). The possible selections are GitHub, GitLab, or GitLab Enterprise, but it is important to note that they are only available if configured. See Integrating Web Author with Git (GitHub, GitLab, Bitbucket) for configuration details.
Reject invalid security certificates: If selected, HTTPS connections with invalid certificates will be rejected. If not selected, security certificates are accepted, even if they are invalid.
Use the "Secure" attribute for the session cookie: If selected, the "Secure" cookie attribute will be added on the session cookie. This means that the browser will only send the session cookie over HTTPS (if enabled).
CAUTION: Do not enable this option unless Web Author is accessed only over HTTPS.
Use HTTP Strict Transport Security (HSTS): If selected, the Strict-Transport-Security header that makes browsers access the application's domain will be set using only HTTPS protocol (including subdomains).
Warning: Do not set this option unless all the applications hosted on the DNS domain where Web Author is hosted, and the applications on the subdomains of this domain, are hosted only over HTTPS. Applications that use HTTP instead of HTTPS and are hosted on the DNS domain of Web Author and its subdomain will not work for Web Author users after you enable this setting.

Trusted Code

By default, Web Author does not load code (such as CSS or Schematron) referenced directly in documents unless it comes from the framework (document type association) or a plugin. However, you can specify code locations to be considered trusted by adding them in the Trusted Code option in the Security tab of the Administration Page. The code locations need to be declared with URL patterns, one per line. For example:

*//github.com/*
webdav-https://my-server:8081/repo/*

Note: The location of a resource should be its OXY-URL.

To consider all code as trusted (which is equivalent to disabling this security feature and is not recommended), you can use a wildcard that matches any location:

Firewall

It is possible to restrict the domains that the Web Author server is allowed to connect to. The Security tab in the Administration Page includes a Firewall section where you can choose to allow all connections or only allow connections to hosts that you specify as trusted. You can specify the hosts to be considered trusted by adding them (one per line) in the Only allow connections to these trusted hosts option. For example:

www.oxygenxml.com:443
*.mycompany.intranet

To allow connections to a domain regardless of the port, you can specify just the domain name. The wildcard character * can also be used, for example, to match any subdomain.

If the Allow All Connections and Log each connection options are enabled, a log entry will be added for each outgoing connection that contains the [OUTGOING CONNECTION] token. This is useful for monitoring and for determining which domains should be marked as trusted.

Notes:

Plugins can specify whether a connection is allowed or denied, regardless of whether or not they are listed in the Security tab of the Administration Page. For example, the Perforce plugin allows connections to the Perforce server configured in the Administration page.
To see which plugins allowed or denied connections, you can activate logging for this kind of events by adding the following line to the log configuration file:
```
log4j.category.com.oxygenxml.webauthor.SecurityManager=info
```
Lines that correspond to such events contain the token [PLUGIN FIREWALL DECISION].
Connections that have no security risks (such as connections to the License Server) are also allowed regardless of the settings in the Security tab of the Administration Page.