Security configuration options
Smart IT provides the following configuration options to secure data:
Area | Option | Description |
|---|---|---|
Openfire chat data | Cross-domain-policy | If you have implemented chat, you can also configure Openfire to limit the domains that have access to Smart IT chat data. The default setting in Openfire chat allows access to data from all domains. Best practice: We recommend that you change the value to allow access only from a specific domain (or domains). For information about how to configure these security options, see Configuring-security-options-for-Smart-IT. |
File attachment types | Attachment Security | You can configure Remedy Action Request System server to prevent users from attaching certain file types to Smart IT records. For example, you might want to block users from attaching executable files or scripts to the Activity feed to prevent malicious code from executing when the attachment is opened. If you restrict attachment file types, an error message is displayed when users try to attach those file types in the following contexts:
By default, the Attachment Security settings are blank, which allow all attachment types. For more information about these settings, see Setting security restrictions on file uploads. For information about how to configure these security options, see Configuring-security-options-for-Smart-IT. |
Content security policy | CSP properties | You can configure the content security policy option in Central Configuration. Smart IT uses this content security policy (CSP) to determine which resources are allowed to load in the application UI. Use of a CSP reduces the risk of cross-site scripting (XSS) attacks. The CSP is defined as a set of properties stored in the SHARE:Application_Properties form. For example, the CSP defines the source domains that are valid for loading scripts and objects. Smart IT supports the connect-src, object-src, script-src, img-src, and media-src directives, which are described in the Content Security Policy (CSP) Quick Reference Guide at http://content-security-policy.com/. Central Configuration includes out-of-the-box directives that are defined in the following properties: smartItCsp_connect-src_0, smartItCsp_object-src_0, and smartItCsp_script-src_0. You must not remove or update these properties. You can add your own directives to the CSP, according to the requirements of your organization. For example, you might want to allow users to add images from external sources to knowledge articles. For information about how to configure these security options, see Configuring-security-options-for-Smart-IT. |
Strict-Transport-Security response header | Strict-Transport-Security | You can enable the Strict-Transport-Security response header for Smart IT to tell browsers that it should only be accessed using HTTPS, instead of using HTTP. Otherwise, even when you configure HTTPS, browsers can connect by both HTTP and HTTPS. |
Cross-Frame Scripting | X-FRAME-OPTIONS | The default setting for this parameter denies Cross-Frame Scripting (XFS) through an iFrame. The XFS is an attack that combines malicious JavaScript with an iFrame that loads a legitimate page to steal information from an unsuspecting user. This attack becomes successful when it is combined with social engineering. On the Mid-Tier server in the web.xml file, you can set the value to SAMEORIGIN, which allows only the current site to frame the content. If you set ALLOW-FROM uri, it will allow the specified uri to frame the page. You need to restart the Mid-Tier services after modifying this value. For information about how to configure these security options, see Configuring-security-options-for-Smart-IT. |
Secured connection to access Smart IT android application | usesCleartextTraffic | The default setting for this property is true. This property is available in the AndroidManifest.xml file. We recommend using TLS 1.2 connections to the Smart IT server in production. |