Outbound HTTP connection
The same origin policies (W3, IETF, and JavaScript) of web browsers prevent one site from accessing the data of another site. Outbound HTTP Connection enables you to selectively circumvent same origin policies. For example, JavaScript on a Digital Experience page may request XML from another site through the HTTP Outbound Connection proxy (formerly, the AJAX Proxy).
Recommended actions and considerations
-
What level of trust do you place in sites accessed through the HTTP Outbound Connection.
- What assumptions do your scripts make about this data? Could an XSS attack be implemented from the other site (e.g. a DOM-based attack).
-
Which portlets need to access the back-end application? If only one or few portlets, then consider using application scoped profiles to limit the scope of the exposed data.
-
Which users/clients need access through Outbound HTTP Connection? Control access as tightly as your functional requirements permit to limit the security exposure inherent in circumventing same origin policies. Control access via:
-
Access policies
-
IP filtering
-
-
If the back-end application accessed through Outbound HTTP Connection requires authentication, how is that achieved? SSO via cookies? Credentials from a credential vault slot? HTTP Basic authentication? Are the credentials and/or cookies protected on the network path between Digital Experience and the other application (e.g. transmitted via HTTPS)?