Initializing help system before first use

Preventing CSRF and Host Header Attacks

FICO® Xpress Insight can be configured to only permit access through the configured URL, disabling access using the direct IP address, an alternative host name, or by using localhost. This prevents a type of attack known as a Host Header Attack and Cross Site Origin Request Attack.
To protect Xpress Insight , complete the following steps:
  1. Use a text editor to open the file at \xpressmp\insight\server\wildfly-x.y.z.Final\standalone\configuration\standalone.xml.
  2. Within standalone.xml, find the section that contains the following text: <system-properties>
  3. Locate the following property which by default will have an empty value: 
    <property name="com.fico.xpress.insight.ServerUrl" value=""/>
  4. Edit this property's value to be the URL that users must use to access the service, in this case https://insight.example.com:8443 
    <property name="com.fico.xpress.insight.ServerUrl" value="https://insight.example.com:8443"/>
  5. Save your changes to standalone.xml.
  6. Restart the Xpress Insight service.

Result

These configuration settings allow Xpress Insight to be served as expected on https://insight.example.com:8443/, but will respond with 503 Service Unavailable if a user attempts to access Insight on any other URL, such as https://localhost:8443/. The server will also respond with 403 Forbidden if a resource is requested with a referer header that differs from the configured URL.
Parent Topic Securing FICO Xpress Insight