Global security settings - Infor OS Portal

In the Global security settings dashboard, you can create and maintain a list of secure sites in which Dashboards can be embedded. The purpose of this is to protect against user interface redress attacks (Clickjacking).

In a clickjacking attack, links that enable information to be sent to an attacker's server are disguised as valid links. A user may thus unwittingly submit sensitive information to an attacker.

To prevent clickjacking, HTTP response headers (Content-Security-Policy: frame-ancestors) are configured to allow embedding Dashboards only in the secure sites that you list. The headers are applied automatically based on your selection.

The Infor OS Portal URLs are preconfigured as secure sites.

Permission to maintain the list can be restricted to system tenants. The permission is enabled by selecting the Customers can add secure sites check box in the system tenant's security settings. When the permission is enabled, standard tenants can view the secure sites list but cannot edit it.

In the Sites that can embed Infor EPM Dashboards section on the Global Security Settings page, you can select these options:

Any site: If selected, Dashboards can be embedded in and opened from any external site with no restrictions. In this case, no Content-Security-Policy headers are sent.
Secure sites only: If selected, Dashboards can be embedded only in the sites that are listed in the Secure Sites table. The sites are automatically included in the HTTP response headers (Content-Security-Policy: frame-ancestors). At least one site must be listed to enable this option.
Open Infor EPM Dashboards only from secure sites: Available only if you selected the Secure sites only option. If selected, a dashboard can only be opened if the request comes from one of the secure sites and the dashboard is embedded in the secure site. Direct access to that dashboard by specifying a URL in a browser or using a bookmark is blocked.