Disable cross-site scripting (XSS) in NGINX and disable lower TLS protocol

Topic

Cross-site scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser-side script, to a different end user. Flaws that allow these attacks to succeed are widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

Instructions

To disable cross-site scripting, do the following:

1. Go to C:\Nintex\IDP\Aerobase\Data\nginx\conf.d

2. Open nginx-security-hardening.import using a text editor

3. Insert the line: add_header "X-Frame-Options" "ALLOW-FROM <FQDN>";

   

    

4.  Save and close the file

5. Restart RPA services

6. Check that the components listed below are working and you are able to login:
   - Aerobase
   - Admin
   - Studio
   - Robot

7. If a customer asks to disable lower TLS protocol e.g. (tls 1.0/ tls1.1) then kindly update the following two files:
   Remove tlsv1 and tlsv1.1 from files aerobase-http.conf and aerobase-subdomains.conf