API configuration (CORS, HSTS, Custom HTTP headers, Request filtering)

Avatar
Hilal Mustafa
Follow

Information

This guide explains how to configure the security settings for the Checkbox API ,including CORS, HTTP headers, HSTS, and path filtering. This feature is supported from version 8.20.0 of the Checkbox.

Configuration

The API security settings are configured in the appsettings.json file located in your API deployment directory (by default, it is checkbox/api-core).

CORS

"apiCors": {
  "origins": [
    "https://app.example1.com",
    "https://app.example2.com",
    "https://app.example3.com"
  ],
  "preflightMaxAge": 86400,
  "disabled": false,
  "allowedMethods": ["GET", "POST", "PUT"],
  "allowedHeaders": ["Content-Type", "Authorization", "X-Requested-With"],
  "allowCredentials": true
},
PropertyTypeDefaultDescription
originsstring[][]List of allowed origins. Empty array allows all origins (not recommended for production)
preflightMaxAgeint86400How long browsers can cache CORS preflight responses (in seconds)
disabledboolfalseDisable CORS entirely
allowedMethodsstring[][]Specific HTTP methods to allow. Empty allows all methods
allowedHeadersstring[][]Specific headers to allow. Empty allows all headers
allowCredentialsboolfalseAllow credentials (cookies, authorization headers) in CORS requests

HTTP Strict Transport Security forces HTTPS connections

  "apiHsts": {
    "disabled": false,
    "preload": false,
    "includeSubDomains": true,
    "maxAgeDays": 365
  }
PropertyTypeDefaultDescription
disabledboolfalseDisable HSTS
preloadboolfalseInclude in browser preload lists
includeSubDomainsbooltrueApply to all subdomains
maxAgeDaysint30How long browsers should remember HTTPS requirement

Add custom or remove HTTP headers.

  "apiHeaders": {
    "addCustom": {
      "X-Frame-Options": "DENY",
      "X-Content-Type-Options": "nosniff",
      "X-XSS-Protection": "1; mode=block",
      "Referrer-Policy": "strict-origin-when-cross-origin"
    },
    "remove": ["X-Powered-By", "X-AspNet-Version"]
  }
PropertyTypeDefaultDescription
addCustomDictionary<string, string>{}Headers to add to responses
removestring[][]Headers to remove from responses

Path Filtering Configuration

  "apiPathFiltering": {
    "invalidCharacters": ["%", "..", ";"]
  }
PropertyTypeDefaultDescription
invalidCharactersstring[][]Characters/strings to block in URL paths

Considerations

  • Blocking is case-insensitive
  • May block legitimate requests (e.g., emails in URLs if blocking @)
  • Test thoroughly with your application's URL patterns

Applying Configuration Changes

  1. Edit appsettings.json in your API deployment directory
  2. Save the file
  3. Restart the API website in IIS
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.