BusinessSecuritySettings Object

Indicates whether CSRF validation is enabled for GET operations. Defaults to com.soa.feature.disabled. To turn on CSRF validation, set to com.soa.feature.enabled.

For more information, see CSRF Prevention on the Platform.

Indicates whether CSRF validation is enabled for POST, PUT, and DELETE operations. Defaults to com.soa.feature.enabled. To turn off CSRF validation, set to com.soa.feature.disabled.

For more information, see CSRF Prevention on the Platform.

Indicates whether the stricter security settings are in place to help prevent enumeration of users. If AllowUserEnum is enabled, which is the default, the less strict behavior is in effect. If this value is set to com.soa.feature.disabled, the enhanced security behavior is activated.

For more information on the effects of this setting, refer to the Site Admin user help, How can I protect from vulnerability in Signup and Forgot Password scenarios? on the SOA documentation site.

Indicates whether a platform user can modify the email address associated with his/her account. Valid values:

• com.soa.feature.enabled
• com.soa.feature.disabled

Indicates whether a Site Admin can initiate user email address update associated with another user's account. Valid values:

• com.soa.feature.enabled
• com.soa.feature.disabled

The behavior is a little different for platform accounts/third-party accounts:

• Platform accounts: The Site Admin can initiate an email address change on behalf of a platform account. Email notifications are sent to the old and new accounts. To complete the change initiated by the Site Admin, the user must change the password on the account.
• Third-party accounts (Valid in version: 2020.1.0 and later): The Site Admin can change the email address for a third-party account. Email notifications are sent to the old and new accounts. The change is immediate.

Indicates whether CAPTCHA support is being used. If CAPTCHA support is enabled, CaptchaSiteKey and CaptchaSiteKey values are required.

The feature supports Google reCAPTCHA, reCAPTCHA v2, for validation of users by means of the I am not a robot checkbox.

The unique key for the account being used for CAPTCHA functionality on the Community Manager developer portal.

Required in request if CaptchaSupport is enabled.

The site secret value for the account being used for CAPTCHA functionality on the Community Manager developer portal. Required in request if CaptchaSupport is enabled.

Not returned in responses.

AuthTokenCookieDomain

Valid in Version: 2019.1.35 and later

Contains information about the value to be set for the Community Manager developer portal cookies, for the Domain attribute, which can limit the domains for which the cookie can be valid. Applies to both the login cookie (authentication cookie) and the CSRF cookie. Options:

• com.soa.auth.token.cookie.domain.hostname: Corresponds to No explicit setting in the UI: The Domain attribute is not set in the cookie. With this option, the value defaults to the hostname of the originating server. This is the default behavior, and is the behavior for earlier versions of the Akana product.
• com.soa.auth.token.cookie.domain.hostname.mustset: Corresponds to Complete Hostname of Tenant in the UI: The Domain attribute is set to the complete hostname of the tenant URL that the user is accessing. Example: if the developer portal URL is https://apiportal.example.com, the Domain attribute of the cookie is set to apiportal.example.com. This is the most secure option.
• com.soa.auth.token.cookie.domain.domainname: Corresponds to Only Domain of Tenant in the UI: The Domain attribute is set to the domain of the tenant URL that the user is accessing. Example: If the developer portal URL is https://apiportal.example.com, the Domain attribute of the cookie is set to example.com. In most cases, this allows access for all subdomains within the specified domain, though different browsers might have different behavior. This option is less restrictive than specifying the complete hostname, but more secure than having no Domain setting.

AuthTokenCookieSameSite

Valid in Version: 2019.1.35 and later

Contains information about the value to be set for the Community Manager developer portal cookies, for the SameSite attribute, which can limit the scope of the cookie so that it will only be valid for same-site requests. Applies to both the login cookie (authentication cookie) and the CSRF cookie. Options:

• Default: Corresponds to No explicit setting in the UI: The SameSite attribute is not set in the cookie. The value defaults to the hostname of the originating server (default behavior for backward compatibility).
• Lax: The cookie is not sent for a normal cross-site request (for example, to load images or frames into a third-party site), but is sent when a user is navigating to the origin site, such as when following a link.

  For more information, see "Strict" and "Lax" enforcement (Section 5.3.7.1 of RFC6265). Lax enforcement is more secure than having no setting, but not as secure as strict enforcement.

• Strict: The cookie is only sent with "same-site" requests: that is, requests from the same domain. Cookies are not sent with requests initiated by third-party websites.

  For more information, see "Strict" and "Lax" enforcement (Section 5.3.7.1 of RFC6265).

• None: The cookie is sent in all contexts, with same-site requests and with cross-site requests.

A comma-delimited list of keywords that are disallowed in certain input fields, such as app, API, and group Name, Summary, and Description fields and forum discussions and tickets, to help prevent cross-site scripting (XSS) attacks.

Defaults:

onload,onerror,onmouseout,onmouseover,eval

You can add additional keywords, or you can remove one or more of the existing defaults (PUT operation only).

AllowedFileTypes

Valid in version: 2019.1.0

Allows the Site Admin to restrict the types of files users can upload. Default (*) allows any valid media type. Separator can be comma, space, or both. Examples:

• application/json, text/plain, image/jpg
• image/gif,image/jpg,image/png
• application/json image/jpg application/pdf

WhiteListKeywordsSupport

/

WhiteListKeywords

Valid in version: 2019.1.11

Indicates whether an allowlist is enforced.

A comma-delimited list of keywords that are disallowed in certain input fields, such as app, API, and group Name, Summary, and Description fields and forum discussions and tickets, to help prevent cross-site scripting (XSS) attacks.

If WhiteListKeywordsSupport is enabled, only characters on the allowlist are accepted in certain input fields, such as app and API Name, Summary, and Description, for cross-site scripting prevention.

You can also define a list of additional characters that are allowed, in addition to platform defaults, when the allowlist is enforced. Default characters allowed are:

• alphanumeric characters (a–z, A–Z, 0–9)
• comma (,)
• period (.)
• hyphen (-)
• space ( )

Specify additional characters, without spaces. Example: ()/ allows these three characters in addition to the defaults.

Default value:

• Version 2019.1.11 to 2019.1.18: Enforce Allowlist (previously called Enforce Whitelisting) is disabled by default, and all characters are allowed.
• Version 2019.1.19 and later: Enforce Allowlist is enabled by default, with the following list of additional characters allowed:

  /#[]()'";?!_<=>@`~&

AllowedFileTypesStrictPolicy

Valid in version: 2020.1.2 and later

Only applicable if the AllowedFileTypes setting is enabled. Optional security feature to apply stricter rules for limiting file types.

With strict policy enabled, only the exact specified media types are allowed. If this setting is disabled, supertypes of the allowed file types are allowed. For example, if text/plain is allowed, then html, application/json, and other text-based media types are allowed.