Enabling URL redirect filtering
When you enable URL redirect filtering, HCL Commerce rejects any requests that try to redirect to an unauthorized site. This feature is used to prevent phishing attacks where a link in an HCL Commerce site sends the shopper to another site.
Examples of URL redirection include:
- URL parameter in a URL command
- reLogonURL in Logon URL command
- URLs defined as click actions in the Marketing Tool. For example,
select * from collateral where URL like 'http%'
Procedure
-
Open the HCL Commerce
configuration file.
- For a local store (migrated from IBM Websphere Commerce Version 7 or IBM Websphere Commerce Version 8), this is located within the Transaction server Docker container (
ts-app
). - For a remote store, this is located within the Store server Docker container (
crs-app
).
- For a local store (migrated from IBM Websphere Commerce Version 7 or IBM Websphere Commerce Version 8), this is located within the Transaction server Docker container (
-
Locate the web module where you want to enable this feature.
For example, if you want to enable this feature for the Stores web module, modify the following section:
<Module contextPath="/webapp/wcs/stores" fileServletEnabled="false" name="Stores" urlMappingPath="/servlet" webAlias="/wcsstore"> <InitParameters adapters="XML/HTTP, BrowserAdapter" contextSetName="Store" handleDoubleClick="true"/> </Module>
Note: If you want to enable this feature for store preview, you must modify the module context path as followed:Module contextPath="/webapp/wcs/preview"
. -
Add a
URLRedirectFilter
configuration line within theModule
defintion as shown in the following example:<Module contextPath="/webapp/wcs/stores" fileServletEnabled="false" name="Stores" urlMappingPath="/servlet" webAlias="/wcsstore"> <InitParameters adapters="XML/HTTP, BrowserAdapter" contextSetName="Store" handleDoubleClick="true"/> <URLRedirectFilter enable="true"> <AllowedHost name="www.mycompany1.com"/> <AllowedHost name="www.mycompany2.com"/> <AllowedDomain name="mycompany3.com"/> </URLRedirectFilter> </Module>
The usage of these elements is described in the following list:
- URLRedirectFilter
- Specifies whether cross-site scripting protection is enabled.
To specify, set the value within the
enabled
element. For example,<URLRedirectFilter enable="true">
.Accepted values are:- true for enabled.
- false for disabled.
- AllowedHost
- Specifies a hostname that HCL Commerce allows redirection
to. By default, if this feature is enabled, the Web server hostname
that is configured for the HCL Commerce instance is added
to the allowed host list.
To specify a hostname, use the
name
element. For example,<AllowedHost name="www.mycompany2.com"/>
. - AllowedDomain
- Specifies an entire domain that HCL Commerce allows
redirection to. Use this element if you want to allow redirection to
all hosts in a domain.
To specify a domain, use the
name
element. For example,<AllowedDomain name="mycompany3.com"/>
.
Example
- www.mycompany1.com
- www.mycompany2.com
- www.mycompany3.com
- myhost.mycompany3.com
- myhost2.mycompany3.com
The following hosts would be blocked by HCL Commerce:
- www.mycompany4.com
- myhost.mycompany1.com