Site Protection
One of the most important steps you can take to protect your site is to limit access to the greatest extent possible while still meeting the requirements of your staff members and customers.
By restricting access to your site or certain functionality within your site, you can reduce opportunities for unwanted visitors with malicious intent to gain access to your assets. Configuration setting descriptions that affect your site’s protection are listed in the following two tables.
Configuration Setting | Description | Default Value |
---|---|---|
Common/General/Security | ||
SEC_VALID_ADMIN_HOSTS | Defines which hosts can access the administration interface. | Blank |
SEC_VALID_INTEG_HOSTS | Defines which hosts can access the integration interface. Only staff members who log in from the listed IP addresses, including network groups, can access the API interface. | Blank |
RightNow User Interface/General/Security | ||
CLIENT_SESSION_EXP | Requires staff members to log in again after a specified period of inactivity
on the Service Console. To reduce the risk of a
misappropriated agent session, we recommend
keeping the default value of 15. Note: This setting
is not used strictly for security. It is also used
in the desktop usage administration feature.
|
15 |
RightNow User Interface/Tool Bar/General | ||
LOGIN_SECURITY_MSG | Defines a message to display after staff members click the Login button on the
Login window. You can use this setting to issue a security statement, distribute terms of a use agreement, or any login message you want staff members to agree to before the Service Console or the Agent Browser UI opens. |
Blank |
Configuration Setting | Description | Default Value |
---|---|---|
Common/General/Security | ||
CP_REDIRECT_HOSTS | Defines which hosts are allowed as redirect targets from the customer portal.
The default setting (blank) prevents all redirects
outside of your interface domain. If you have more than one interface that you need to redirect to, each interface domain name must be specified in CP_REDIRECT_HOSTS.
Note: Redirects within your interface domain,
as well as hosts specified in related
configuration settings are implicitly allowed.
Therefore, those domains do not need to be listed
in the CP_REDIRECT_HOSTS setting. |
Blank |
SEC_VALID_ENDUSER_ HOSTS | Note: This setting applies only to PHP pages. It does not block access to static assets such as
URLs, images, JavaScript, folders, or files. For
more information, contact your Oracle account
manager. Defines which hosts can access the customer portal. Only customers coming from a host in the valid list are allowed access to the customer portal. Tip: The valid list
is practical only if the set of allowed hosts is confined
to 10 or fewer domains. |
Blank |
SEC_INVALID_ENDUSER_ HOSTS | Defines which hosts are not allowed access to the customer portal. The invalid list is used to prevent spiders from known locations. | Blank |
RightNow User Interface/General/Security | ||
SUBMIT_TOKEN_EXP | Defines the amount of time, in minutes, that the submit token used for token verification is valid. | 30 |