10.2.4 CSP and CORS Configuration

Thinfinity® Workspace includes predefined HTTP headers to enforce Content Security Policy (CSP) and Cross-Origin Resource Sharing (CORS) rules. These headers are configured in a centralized template file, which ensures consistent behavior across web components and enhances the platform's security posture.

Configuration Location and Structure

The CSP and CORS headers are defined within the web-headers.json file located at C:\Program Files\Thinfinity\Workspace\web-headers.json.

The document is structured in JSON format and comprises the following sections:

• templates: Contains predefined templates, each encompassing a collection of HTTP headers. These templates delineate sets of HTTP rules applicable across various routes, services, or scenarios.

• cookie-attributes: A dedicated section for declared cookies.

• template-by-page: Specifies the template to be applied based on the filename.

• template-by-content-type: Determines the template to be applied based on the content type.

• template-by-script: Reserved for REST requests.

• existing-thinfinity-variables: An internal section defining Thinfinity Workspace values to be established as header variables.

In this file, the default template includes a comprehensive list of HTTP headers that control how the Thinfinity Workspace web client interacts with the browser and other origins. All other predefined templates operate within a single-level hierarchical structure. They inherit from the default template and function through overriding.

Content Security Policy (CSP)

The Content-Security-Policy header restricts which sources are allowed to load content such as scripts, styles, images, and media. This helps prevent cross-site scripting (XSS), clickjacking, and other common web-based attacks.

Thinfinity Workspace defines a strict CSP with granular directives. For example:

• Only trusted domains and dynamic variables like PUBLIC_HOST or COMM_GATEWAY_LIST are allowed as sources.

• Inline scripts and styles are restricted unless explicitly required.

• Default content sources are denied (default-src: 'none'), requiring explicit allowances per content type.

These configurations are evaluated and expanded at runtime based on your deployment environment.

Cross-Origin Resource Sharing (CORS)

CORS headers in the template allow Thinfinity Workspace to interact with other origins securely. These include:

• Access-Control-Allow-Credentials: Enables secure cross-origin requests using cookies or HTTP authentication.

• Access-Control-Allow-Methods and Access-Control-Allow-Headers: Defines which HTTP methods and custom headers are allowed.

Additional Security Headers

Thinfinity Workspace also includes other recommended security headers such as:

• Strict-Transport-Security

• X-Content-Type-Options

• Referrer-Policy

• Permissions-Policy

These headers are part of the default template and help enforce modern browser security practices.

Customization

While default rules are suitable for most environments, advanced users may customize or create additional templates to meet specific compliance or integration needs.