Cross-site Scripting and Cookies
You can configure your system to improve the protection of Genesys Administrator Extension against Cross-site Scripting (XSS) attacks by configuring the HttpOnly and Secure flags on your HTTP server to further enhance the existing GAX security. These flags tell browsers how to handle cookies.
Server-side cookies can be tagged with HttpOnly and Secure flags to tell the browser how to deal with them. To achieve a maximum level of security, administrators must make this configuration on the Application Server.
Securing Server-side Cookies
With the Secure flag set, cookies are transmitted only from the browser to the server when the connection is secured by using the HTTPS protocol. This setting is applicable to HTTPS connections only. Therefore, you must configure GAX to use an HTTPS connector, not an HTTP connector.
Follow these recommendations to configure the HttpOnly and Secure flags.
Open and edit the following file: $CATALINA_HOME/conf/context.xml
To set the HttpOnly flag, add the following attribute:
The main tag should be:
Instead of: <Context>
Open and edit the following file: $CATALINA_HOME/conf/server.xml
To set the Secure flag, add the following attribute to the HTTPS connector:
The flag must not be applied to any non-HTTPS connectors. If you apply the flag to an HTTP connection, it will become unusable for Genesys Administrator Extension.
The following is an example of a valid connector:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystoreFile="/home/gcti/keystore.key" keystorePass="genesys" clientAuth="false" sslProtocol="TLS" />