Chat Security
B2C Chat (Chat) lets customers experience interactive, real-time conversations with agents. There are a number of configuration options that protect these exchanges of information and the underlying services that make them possible.
For complete details and procedures about configuring Chat see these topics:
This table describes Chat configuration settings.
Configuration Setting | Description | Default Value |
---|---|---|
CHAT_WS_API_IP_HOST | Defines the list of IP addresses and subnet masks to
make requests to the Chat API. If this setting is enabled and left
blank, all hosts are allowed. To enable this hidden setting and define your allowed IP addresses and subnet masks, submit a request on our support site. |
Blank |
Common/General/Security | ||
SEC_VALID_CHAT_API_HOSTS | Defines which hosts and subnet masks of hosts are
allowed to access the Chat SOAP interface from any chat-related request
coming from a customer to the server. Note: If this setting is left
blank, the server accepts requests from all hosts. |
Blank |
CP_CONTACT_LOGIN_REQUIRED | When enabled, enforces secure logon to prevent unauthorized chat sessions. | No |
Chat/General/Server | ||
CHAT_CORS_ALLOWLIST | Defines the list of origins and domains allowed to
make cross-origin requests through the Chat server. If chat sessions in
the Service Console include content such as images or URLs, that are not
included on this allow list, a warning message prompts the agent to
continue or cancel the action. Note: If this setting is left blank, the
server accepts requests from all origins. Changes made to this allow
list only apply to new, and not existing, chat sessions on the
Service Console. |
Blank |
Chat/General/Create Incident | ||
INC_PRIVATE_TRANSCRIPT_ ONLY | Allows chat transcripts to be added to incidents as
private notes. Note: If enabled, customers cannot see past
chats. |
No |
The CHAT_INPUT_ALLOWLIST_JSON configuration setting describes a valid set of tags, attributes, and protocols to allow in message posts and in common fields used in chat sessions.
The configuration setting, which you can find in Chat/General/Chat Session, has an extensive list of default values.
Allowed Tags | Allowed Attributes (Allowed Protocols, if applicable) |
---|---|
a |
|
audio |
|
b | |
blockquote | cite (http, https) |
br | |
caption | |
cite | cite (http, https) |
code | |
col |
|
colgroup |
|
dd | |
div | |
dl | |
dt | |
em | |
figcaption | |
figure | |
h1 | |
h2 | |
h3 | |
h4 | |
h5 | |
i | |
img |
|
li | |
ol |
|
p | |
pre | |
q | cite (http, https) |
small | |
source |
|
span | |
strike | |
strong | |
sub | |
sup | |
table |
|
tbody | |
td |
|
tfoot | |
th |
|
thead | |
tr | |
u | type |
ul | |
video |
|
:all (indicates allowed attributes on all tags) |
|
For example:
- {"h1": {}} indicates that the <h1> tag is allowed, but that no attributes are allowed.
- {"a": {"href": ["ftp","http","https","mailto"]}} indicates that the <a> tag is allowed.