Security Enhancements

The following security enhancements have been included in the Lifecycle Management Suite's 16.05 release:

HttpOnly and Secure Attributes

A feature has been implemented to make the cookies used by the Lifecycle Management Suite more secure and less vulnerable to cross-site scripting. With this feature, the HttpOnly and Secure attributes for all cookies in the Lifecycle Management Suite have been set to true. These enhancements ensure that the cookies used by the Lifecycle Management Suite and Virtual Capture remain secure and do not become vulnerable when stored in a user's computer.

HTTP Response Headers

A feature has been implemented to remove the Miscellaneous HTTP response headers from the Lifecycle Management Suite and Virtual Capture that indicated client software platforms and applications. This enhancement helps ensure that the Lifecycle Management Suite and Virtual Capture remain secure.

Institutions running IIS version 8 or higher must install the URL-Rewrite tool from Microsoft to remove the Miscellaneous Server headers, as this feature does not remove the Server header for the most recent versions of IIS. Please refer to the following rule example that may be used in URL-Rewrite to change the value of the Server header that is returned:

<rewrite>
       <outboundRules>
          <rule name="changeServerHeader">
             <match serverVariable="RESPONSE_Server" pattern=".*" />
             <action type="Rewrite" value="MyServer" />
          </rule>
       </outboundRules>
</rewrite>

Security Enhancements for Virtual Capture

Cross-site Forgery Requests

Virtual Capture has been enhanced to prevent Cross-Site Request Forgery (CSRF) attacks. With this feature, security measures have been implemented to mitigate the CSRF vulnerabilities.

Security Enhancements for Login Methods

Online Profile

The following enhancement was made to improve the security of the Online Profile Login method:

The Email and Password fields are no longer cleared in the Sign In Panel when an applicant attempts to log on to an Online Profile with invalid credentials.

SSO

The following enhancements have been made to improve the security of the SSO Login method:

The Login/GetLoginToken method has been enhanced to support both GET and POST requests.
The Login/SSO method has been enhanced to allow GET requests, as well as accept an “AuthToken” parameter in the query string or body of the POST.

Eliminate HTML Injection

The ability to inject HTML into the Error page for Virtual Capture has been eliminated. Errors are now returned and displayed directly from the server, rather than inputting the ErrorMsg into a query string.