The Loginapp UI and all advanced customization are JavaScript-based. This poses a certain security risk inherent in using JavaScript and browser technologies. All customizations should therefore be carefully reviewed from a security perspective. It is recommended to observe the security best practices below.
Enforce a strict content security policy (CSP)
A content security policy allows using rules to define which content is allowed in a web front-end. It is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to website defacement to the distribution of malware.
In Airlock IAM, the CSP for the Loginapp UI can be defined in the security settings under Loginapp >> UI Settings
By default, IAM uses strong rules to provide a maximal security level. For example, it forbids inline JavaScript or inline CSS styles.
Protect against cross-site request forgery (CSRF)
To protect from cross-site request forgery (CSRF) attacks, IAM also provides a setting at:
Loginapp >> Security Settings
By default, CSRF protection is enabled. Using this option, REST clients must define the X-Same-Domain header with an arbitrary value for every invocation.