1. Using B2C Service
  2. Chat Security

Chat Security

B2C Chat (Chat) lets customers experience interactive, real-time conversations with agents. There are a number of configuration options that protect these exchanges of information and the underlying services that make them possible.

For complete details and procedures about configuring Chat see these topics:

This table describes Chat configuration settings.

Settings for Chat

Configuration Setting Description Default Value
CHAT_WS_API_IP_HOST Defines the list of IP addresses and subnet masks to make requests to the Chat API. If this setting is enabled and left blank, all hosts are allowed.

To enable this hidden setting and define your allowed IP addresses and subnet masks, submit a request on our support site.

 Blank
Common/General/Security
SEC_VALID_CHAT_API_HOSTS Defines which hosts and subnet masks of hosts are allowed to access the Chat SOAP interface from any chat-related request coming from a customer to the server.
Note: If this setting is left blank, the server accepts requests from all hosts.
 Blank
CP_CONTACT_LOGIN_REQUIRED When enabled, enforces secure logon to prevent unauthorized chat sessions. No
Chat/General/Server
CHAT_CORS_ALLOWLIST Defines the list of origins and domains allowed to make cross-origin requests through the Chat server. If chat sessions in the Service Console include content such as images or URLs, that are not included on this allow list, a warning message prompts the agent to continue or cancel the action.
Note: If this setting is left blank, the server accepts requests from all origins. Changes made to this allow list only apply to new, and not existing, chat sessions on the Service Console.
Blank
Chat/General/Create Incident
INC_PRIVATE_TRANSCRIPT_ ONLY Allows chat transcripts to be added to incidents as private notes.
Note: If enabled, customers cannot see past chats.
 No

The CHAT_INPUT_ALLOWLIST_JSON configuration setting describes a valid set of tags, attributes, and protocols to allow in message posts and in common fields used in chat sessions.

The configuration setting, which you can find in Chat/General/Chat Session, has an extensive list of default values.

Default Values for the CHAT_INPUT_ALLOWLIST_JSON Configuration Setting

Allowed Tags Allowed Attributes (Allowed Protocols, if applicable)
a
  • href (http, https)
  • referrerpolicy
  • title
audio
  • controls
  • loop
  • muted
  • src (http, https)
b
blockquote cite (http, https)
br
caption
cite cite (http, https)
code
col
  • span
  • width
colgroup
  • span
  • width
dd
div
dl
dt
em
figcaption
figure
h1
h2
h3
h4
h5
i
img
  • align
  • alt
  • height
  • referrerpolicy
  • src (http, https)
  • title
  • width
li
ol
  • start
  • type
p
pre
q cite (http, https)
small
source
  • src (http, https)
  • type
span
strike
strong
sub
sup
table
  • summary
  • width
tbody
td
  • abbr
  • axis
  • colspan
  • rowspan
  • width
tfoot
th
  • abbr
  • axis
  • colspan
  • rowspan
  • scope
  • width
thead
tr
u type
ul
video
  • controls
  • height
  • loop
  • muted
  • poster (http, https)
  • preload
  • src (http, https)
  • width
:all (indicates allowed attributes on all tags)
  • dir
  • id
  • lang
  • muted
  • style
  • title
  • translate

For example:

  • {"h1": {}} indicates that the <h1> tag is allowed, but that no attributes are allowed.
  • {"a": {"href": ["ftp","http","https","mailto"]}} indicates that the <a> tag is allowed.