Chat API Protection
B2C Service supports a Chat API that must be enabled by Oracle. When enabled, the API is protected by a configuration setting that specifies the IP addresses and subnet masks to make requests to the Chat API. If this setting is enabled and left blank, all hosts are allowed.
User Protection
By enabling the INC_PRIVATE_TRANSCRIPT_ONLY configuration setting, you can change the privacy of the information in a Chat exchange. Instead of being added to an incident as public information, it is added as a private note, which restricts access to the data. If there is a chance that staff members will enter sensitive information during a chat session, this setting should be enabled.
It is also possible to configure Chat to allow off-the-record chats in which the exchanged data is not recorded and can be seen only in real time by the agent.
Cross-Origin Resource Sharing Protection
For more information about testing for CORS vulnerabilities, search “Test cross origin resource sharing” on the OWASP Foundation website.