• IFrame issues after Microsoft changed default settings to SameSite cookie attribute

    Description Chrome will be automatically changing session cookies with SameSite="None" to SameSite="Lax". https://www.chromestatus.com/feature/5088147346030592 Microsoft is preemptively addressing this with the following update.https://support.microsoft.com/en-us/help/4524420/kb4524420 Due to this, Microsoft ASP.NET will now emit a SameSite cookie header when HttpCookie.SameSite value as "None" This caused an issue with a client's IFrame which was loading a page from their largest customer'...

  • Critical forms issue: form submissions publicly available

    Description In pre-4.7 versions of Episerver Forms it is possible to have form submissions accessible to all front end users. End users may find confidential form data in search results so steps should be take to avoid this. Resolution Update your Episerver.Forms Nuget package to at least 4.7.0.

  • Magic Number And Signature Audit For File Upload Security

    DescriptionEpiserver has out-of-the-box field validation for file type, file size, and number of files uploaded but it does not have magic number/signature audit.  This article contains recommendations for additional magic number file upload security.ResolutionProcessing application requests in the global.asax and validating the request for upload at that time. The supported file extensions in Episerver can be seen here.   Find a database of signature codes (that is up-to-date) and build a d...

  • How To Set EPiServerLogin Cookie Secure Flag

    DescriptionThis article describes the step needed to set the secure flag on the episerver login cookie.ResolutionSetting “requireSSL” on the EPiServer login form in the web.config resolves the issue. <forms name=".EPiServerLogin" loginUrl="Util/login.aspx" timeout="120" defaultUrl="~/" requireSSL="true" />