Security threats and mitigation
Cross-Site Request Forgery (CSRF) and Cross-site scripting (XSS) are two common web application vulnerabilities, and Sitecore Content Hub provides multiple layers of protection to mitigate them.
CSRF attacks
Cross-Site Request Forgery (CSRF) is an attack where a user is tricked into performing unwanted actions on a web application in which they are authenticated. The attacker sends a crafted, malicious request to the web application using the victim's credentials (such as session cookies), making the request appear legitimate to the server. CSRF attacks generally target state-changing actions on the server, such as updating or deleting user details or data. These actions are dangerous because the web application can't distinguish between a legitimate request from the authenticated user and a malicious, forged request from the attacker. Data-retrieving actions are typically less useful in CSRF attacks because the response goes to the victim’s browser, not directly to the attacker.
Mitigation
All browsers that comply with the W3C standard for Cross-Origin Resource Sharing (CORS) make a preflight request, also known as an OPTIONS request, before accessing the API, to check whether an external site is allowed to use the API. It checks for the presence of the Access-Control-Allow-Origin header, which can be set to * to permit requests from any origin. If this header isn't present, the request is denied.
For browsers that don't comply with the W3C standard, such as certain builds of Internet Explorer and Safari, Content Hub includes an additional security layer. The Content Hub API only communicates using application/JSON, and it requires the withCredentials flag to be set to true for XMLHttpRequest. This flag ensures that cross-site requests include credentials such as cookies, authorization headers, or TLS client certificates.
Lastly, because a website can only read the cookies it has set, Content Hub has the server generate a token on each page refresh. This token is stored as a cookie and is only extracted and sent with requests if the user is on the actual site. This ensures the request cannot be replicated from outside the site.
XSS attacks
Cross-site scripting (XSS) is a security exploit that allows an attacker to inject malicious, client-side code into an otherwise benign and trusted website. This code is executed by the victim and lets the attackers bypass access controls and thereby impersonate the user. These attacks succeed if the web app does not use sufficient validation or encoding. The user's browser can't detect that the malicious script is untrustworthy, and so it allows access to any cookies, session tokens, or other sensitive site-specific information, and it lets the malicious script rewrite the HTML content.
Mitigation
All user output is either in a text binding, which does not execute JavaScript, or in a rich text editor binding (for rich text fields), which also prevents script execution.