Business Process Server Web Security provides the protection to the Business Process Portal web application from the common vulnerabilities like Cross Site Scripting Requests (XSS) and Cross Site Scripting Request Forgery (XSRF).
BPM portal web security is based on filters taking care of the following tasks:
Managing XSS attacks by escaping active content from all request parameters.
XSRF guarding by eliminating requests showing wrong source origin and also validating security token for all system state modifying requests.
JSHJ vulnerability is addressed by XSRF filter as well as by validating the security token for all requests returning JavaScript easy parseable data as JSON.
Additional level security is achieved by enabling HTTP only session cookie and making XSS attack more complicated.
Note: To activate POST HTTP request for sensitive parameters, in bpmportal.conf file located in OEBPS_HOME\conf folder set the bpmportal.post.sensitive.parameters=true, the default value for this parameter is false. This enables POST HTTP requests for sensitive parameters passed from BP Server to BPM WebFlow or from BPM WebFlow to another BPM WebFlow Subprocess.
Managing XSS attacks by escaping active content from all request parameters.
