11.1.2 Allowed Pages

The allowed-pages.json file is a security configuration file. Its main function is to act as a whitelist for Thinfinity® Workspace.

This file tells the server that only the specifically listed web pages are permitted to be loaded or accessed directly by a user. Any attempt to access an URL or a file that is not on this list will be blocked.

Its purpose is security. By defining a strict list of allowed pages, it prevents a variety of cyberattacks, such as:

• Directory Traversal: It prevents an attacker from trying to guess and access sensitive server files that should not be public (configuration files, internal scripts, etc.)

• Unauthorized Feature Access: It stops users from accessing pages or functionalities that may exist but are not intended for direct use (debugging or internal administration pages).

The set of enabled pages ranges from the Thinfinity Workspace homepage to "common error" pages like 401.html, 403.html, 404.html, and 500.html. These are the standard HTTP error pages (Unauthorized, Forbidden, Not Found, and Server Error).

Additionally, the file enables pages for application administration and monitoring (like admin.html, workmonitor.html, and brokersmonitor.html) and for authentication (duo.html, totp.html, and webauthn.html), among other utilities.

The allowed-pages.json file is a critical security measure for Thinfinity Workspace. It works by maintaining a strict list of all legitimate pages that make up the application and blocking access to anything else to protect the system from unauthorized access and potential attacks.