Hi everybody, We have an application built using Predix Apphub. We are trying to adopt Predix Apphub feature to meet customer security requirements but have not found documentation describing that info. My questions are: 1. How to make Predix AppHub session cookie SameSite to protest against CSRF attack? 2. Is there any docs describing Predix App Hub access control and managing microapp capabilities functionality? E.g., how to restrict access to the “AppHub Settings” page? 3. How can I view Predix App Hub logs?
Thank you
Alexander
Answer by Jonnie Spratley · Nov 27, 2018 at 09:49 AM
Hi Alexander,
Im not sure what you mean about protest against CSRF, as for controlling access to micro-apps, you need to add the scope
property to the micro-app. Then the current user must have that matching scope in order to view and use that application.
Hi Jonnie, Thanks for your answer. Related with CSRF: we have a case when we upload file using Predix Apphub UI. We have found that for content-type "multipart" there is no Apphub out of box CSRF protection. So, we are trying to work around that issue. According with my conversation with Apphub Engineer: Not all the browsers support SameSite feature, they haven’t added the feature yet because it might not allow access to one who are using older browsers.