Security aspects
17.3.2.1.1. Security aspects when using the Loginapp REST UI SDK

The Loginapp REST UI and all advanced customization are JavaScript-based. This poses a certain security risk inherent in the use of JavaScript and browser technologies. All customizations should therefore be carefully reviewed from a security perspective. It is recommended to observe the security best practices below.

Enforce a strict content security policy (CSP)

A content security policy allows using rules to define which content is allowed in a web front-end. It is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to website defacement to distribution of malware.

In Airlock IAM, the CSP for the Loginapp REST UI can be defined in the security settings here:
Loginapp >> UI Settings

By default, IAM uses strong rules to provide a maximal security level. For example, it forbids inline JavaScript or inline CSS styles.

Protect against cross-site request forgery (CSRF)

To protect from cross-site request forgery (CSRF) attacks, IAM also provides a setting here:
Loginapp >> REST Settings
By default, CSRF protection is enabled. Using this option, REST clients must define the X-Same-Domain header with an arbitrary value for every invocation.