1. Using B2C Service
  2. Site Protection

Site Protection

One of the most important steps you can take to protect your site is to limit access to the greatest extent possible while still meeting the requirements of your staff members and customers.

By restricting access to your site or certain functionality within your site, you can reduce opportunities for unwanted visitors with malicious intent to gain access to your assets. Configuration setting descriptions that affect your site’s protection are listed in the following two tables.

Administration Interface Settings for Site Protection

Configuration Setting Description Default Value
Common/General/Security
SEC_VALID_ADMIN_HOSTS Defines which hosts can access the administration interface. Blank
SEC_VALID_INTEG_HOSTS Defines which hosts can access the integration interface. Only staff members who log in from the listed IP addresses, including network groups, can access the API interface. Blank
RightNow User Interface/General/Security
CLIENT_SESSION_EXP Requires staff members to log in again after a specified period of inactivity on the Service Console. To reduce the risk of a misappropriated agent session, we recommend keeping the default value of 15.
Note: This setting is not used strictly for security. It is also used in the desktop usage administration feature.
15
RightNow User Interface/Tool Bar/General
LOGIN_SECURITY_MSG Defines a message to display after staff members click the Login button on the Login window.

You can use this setting to issue a security statement, distribute terms of a use agreement, or any login message you want staff members to agree to before the Service Console or the Agent Browser UI opens.

 Blank

Customer Portal Settings for Site Protection

Configuration Setting Description Default Value
Common/General/Security
CP_REDIRECT_HOSTS Defines which hosts are allowed as redirect targets from the customer portal. The default setting (blank) prevents all redirects outside of your interface domain.

If you have more than one interface that you need to redirect to, each interface domain name must be specified in CP_REDIRECT_HOSTS.

  • Blank = Prevents all redirects outside of your interface domain.
  • * = Allows all redirects, including redirects to external sites. (Not recommended.)
Note: Redirects within your interface domain, as well as hosts specified in related configuration settings are implicitly allowed. Therefore, those domains do not need to be listed in the CP_REDIRECT_HOSTS setting.
 Blank
SEC_VALID_ENDUSER_ HOSTS
Note: This setting applies only to PHP pages. It does not block access to static assets such as URLs, images, JavaScript, folders, or files. For more information, contact your Oracle account manager.

Defines which hosts can access the customer portal. Only customers coming from a host in the valid list are allowed access to the customer portal.

Tip: The valid list is practical only if the set of allowed hosts is confined to 10 or fewer domains.
 Blank
SEC_INVALID_ENDUSER_ HOSTS Defines which hosts are not allowed access to the customer portal. The invalid list is used to prevent spiders from known locations. Blank
RightNow User Interface/General/Security
SUBMIT_TOKEN_EXP Defines the amount of time, in minutes, that the submit token used for token verification is valid. 30