Edit online

Configuring Security Settings

The Security tab in the Administration Page provides options for handling security-related features, including an option for specifying trusted code locations and a firewall option where you can choose to restrict access to hosts that are not specified as being trusted. Additionally, important security tips and recommendations can be found in the Security Hardening section of the documentation.

Security Options

The Security tab in the Administration Page includes a Security Options section with the following options:

Security Options
Application authentication provider
Use this option to activate application-level authentication to only allow authenticated users access to the application. This will significantly enhance the application's security, protecting against potential attacks (e.g. denial-of-service attacks). The possible selections are GitHub, GitLab, or GitLab Enterprise, but it is important to note that they are only available if configured. See Integrating Web Author with Git (GitHub, GitLab, Bitbucket) for configuration details.
Reject invalid security certificates
If selected, HTTPS connections with invalid certificates will be rejected. If not selected, security certificates are accepted, even if they are invalid.
Use the "Secure" attribute for the session cookie
If selected, the "Secure" cookie attribute will be added on the session cookie. This means that the browser will only send the session cookie over HTTPS (if enabled).
CAUTION:
Do not enable this option unless Web Author is accessed only over HTTPS.
Use HTTP Strict Transport Security (HSTS)
If selected, the Strict-Transport-Security header that makes browsers access the application's domain will be set using only HTTPS protocol (including subdomains).
Warning:
Do not set this option unless all the applications hosted on the DNS domain where Web Author is hosted, and the applications on the subdomains of this domain, are hosted only over HTTPS. Applications that use HTTP instead of HTTPS and are hosted on the DNS domain of Web Author and its subdomain will not work for Web Author users after you enable this setting.

Trusted Code

In Oxygen XML Web Author, Code refers to resources that can affect document appearance or functionality. Code resources can take many forms, such as CSS files, Schematron rules, and embedded content loaded through iframe targets (e.g. oxy_video or oxy_browser).

By default, Oxygen XML Web Author does not load code referenced directly in documents unless the code originates from the framework (document type association) or a plugin. This restriction is important for security, as it helps prevent the execution of untrusted or potentially harmful scripts, which could compromise data, user privacy, or system functionality.

You can specify code locations to be considered trusted by adding them in the Trusted Code option in the Security tab of the Administration Page. Only add trusted and verified code locations to ensure secure script execution. The code locations need to be declared with URL patterns, one per line. For example:
*//github.com/*
webdav-https://my-server:8081/repo/*
https://youtube.com/embed/*
Note:
The location of a resource should be its OXY-URL.
To consider all code as trusted (which is equivalent to disabling this security feature and is not recommended), you can use a wildcard that matches any location:
*

Firewall

It is possible to restrict the domains that the Web Author server is allowed to connect to. The Security tab in the Administration Page includes a Firewall section where you can choose to allow all connections or only allow connections to hosts that you specify as trusted. You can specify the hosts to be considered trusted by adding them (one per line) in the Only allow connections to these trusted hosts option. For example:
www.oxygenxml.com:443
*.mycompany.intranet

To allow connections to a domain regardless of the port, you can specify just the domain name. The wildcard character * can also be used, for example, to match any subdomain.

If the Allow All Connections and Log each connection options are enabled, a log entry will be added for each outgoing connection that contains the [OUTGOING CONNECTION] token. This is useful for monitoring and for determining which domains should be marked as trusted.

Notes:

  • Plugins can specify whether a connection is allowed or denied, regardless of whether or not they are listed in the Security tab of the Administration Page. For example, the Perforce plugin allows connections to the Perforce server configured in the Administration page.

    To see which plugins allowed or denied connections, you can activate logging for this kind of events by adding the following line to the log configuration file:
    log4j.category.com.oxygenxml.webauthor.SecurityManager=info

    Lines that correspond to such events contain the token [PLUGIN FIREWALL DECISION].

  • Connections that have no security risks (such as connections to the License Server) are also allowed regardless of the settings in the Security tab of the Administration Page.

Content Security Policy (CSP)

The Security tab in the Administration Page includes a CSP section where you can choose whether or not to use the Content Security Policy (CSP) and you can configure your own custom security policy. For more information about the Content Security Policy, see: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP.