Chat API Protection

B2C Service supports a Chat API that must be enabled by Oracle. When enabled, the API is protected by a configuration setting that specifies the IP addresses and subnet masks to make requests to the Chat API. If this setting is enabled and left blank, all hosts are allowed.

Note: Access to the Chat API is defined by the hidden CHAT_WS_API_IP_HOST configuration setting. To enable this setting and specify the IP addresses and subnet masks you want to allow, Submit a Service Request.

User Protection

By enabling the INC_PRIVATE_TRANSCRIPT_ONLY configuration setting, you can change the privacy of the information in a Chat exchange. Instead of being added to an incident as public information, it is added as a private note, which restricts access to the data. If there is a chance that staff members will enter sensitive information during a chat session, this setting should be enabled.

It is also possible to configure Chat to allow off-the-record chats in which the exchanged data is not recorded and can be seen only in real time by the agent.

Cross-Origin Resource Sharing Protection

Cross-origin resource sharing (CORS) lets client-side code make requests from one origin to another origin. This functionality can be abused by an attacker to retrieve information from your site or to perform actions as a valid user. You can protect your site from potential threats by restricting access to valid requests. The CHAT_CORS_ALLOWLIST configuration setting defines the list of hosts or IP addresses allowed to make cross-origin domain requests. If this setting is left blank, all origins are allowed.

Tip: Keep in mind that restricting cross-origin resource sharing does not prevent cross-site request forgery (CSRF). For information about CSRF protection, see Cross-Site Request Forgery.

For more information about testing for CORS vulnerabilities, search “Test cross origin resource sharing” on the OWASP Foundation website.