Security Health Check Tool

The Security Health Check tool enables customers to view and manage their portal’s security settings.

To access the Security Health Check tool, go to Admin > Tools > Core Functions > Security Health Check.

Current Security Health Status

A new indicator is now included:

  • Yellow Settings - This displays the number of settings that are not currently aligned with Cornerstone's recommended settings and acts a warning that your portal may be exposed to security vulnerability.

The page continues to display

  • Green Settings - This displays the number of settings that are currently aligned with Cornerstone's recommended settings.
  • Red Settings - This displays the number of settings that are currently not aligned with Cornerstone's recommended settings and indicates a critical security vulnerability.

We recommend you review all security issues (red and yellow settings) with your IT Security team to evaluate the risk and criticality for your portal. ​

Label Updates

To improve understanding we have updated the labels of the sections:

  • Issues to Resolve is now labeled Recommended Actions.
  • Other is now labeled Secure Settings.

Available Settings

The following 10 settings are added for review to the Security Health Check Tool:

  • Allow Custom HTML Upload - This setting only applies to Legacy Connect, Knowledge Bank, Universal Profile: Documents, Universal Profile: Feedback, Custom HTML Widget in Communities and ILT room layouts. When False, this setting prevents administrators/moderators from uploading custom HTML files. It is recommended that moderators in these forums are not allowed to upload HTML files to prevent upload of malicious content. The recommended setting is False.
  • Secure HTML - When True, this setting enables a system wide HTML security processor that strips out unprotected JavaScript tags from textboxes throughout the application. It is recommended that HTML is secured to remove risk of insecure scripts being added to textboxes. The recommended setting is True.
  • Auto-close Browser on Logout - This setting only applies to Internet Explorer and Chrome. When True, this setting automatically closes your browser window, including all tabs open in the browser window, upon logging out of the Cornerstone application. Works natively on Internet Explorer and Chrome browsers but may require configuration on other browsers. It is recommended that your browser is auto-closed upon logout to fully terminate your session and ensure data privacy. The recommended setting is True.
  • Bypass XSS Validation - When False, this setting allows XSS validations to be performed across the application. It is recommended that XSS (Cross-Site Scripting) validations are allowed to prevent exposure to web application attacks such as injection of malicious scripts into your Cornerstone portal. The recommended setting is False.
  • Enable JavaScript on Page Builder - This setting only applies to pages where Page Builder is used (ex: Welcome page, custom pages). When False, this setting prevents the input of JavaScript on pages where Page Builder is used (ex: Welcome page, custom pages). It is recommended that JavaScript is prevented from being input into Page Builder to prevent malicious attacks, such as cross-site forgery. Please note: Bypass XSS Validation is a centralized control governing JavaScript across the application. While Cornerstone recommends that both settings are FALSE, users who choose to enable JavaScript on Page Builder must also have Bypass XSS Validation set to TRUE. The recommended setting is False.
  • Enable reCAPTCHA - This setting only applies to Self Registration, Forgot Password and Job Referral pages. When True, this setting enables the reCAPTCHA control on Self Registration, Forgot Password and Job Referral pages. reCAPTCHA is a CAPTCHA system that distinguishes between human and automated access to the application. It is recommended that reCAPTCHA is enabled to defend against automated attacks. Encode Training Text. The recommended setting is True.
  • Encode Training Text - This setting only applies to LO Details, Transcript Details and Course Console pages. When True, this setting encodes training descriptions and custom fields on the LO Details, Transcript Details and Course Console pages. For customers who embed HTML and script in these LMS fields, markup "</>" will be encoded on output instead of rendered by the browser. It is recommended that training text is encoded to prevent data from being compromised. The recommended setting is True.
  • Encrypt Self Registration URL - This setting only applies to Corporate Self Registration Group and Anonymous User Login pages. When True, this setting encrypts the URLs for Corporate Self Registration Group and Anonymous User Login pages. The unencrypted/generic URL (ex: https://[portalname].csod.com/selfreg/selfreglogin.aspx) will no longer work and users must self register using the encrypted URL (ex: https://[portalname].csod.com/selfreg/selfreglogin.aspx?c=self-reg1). It is recommended that self registration URL is encoded to prevent manipulation of the self registration ID. The recommended setting is True.
  • Prevent Application in iframe -This setting only applies to pages that require users to be logged in. Public pages that do not require the user to be logged in, such as Login, Forgot Password, Career Site, Self Registration pages, are excluded from this setting. When True, this setting prevents the Cornerstone application from being embedded in an iframe (Inline Frame) by setting the X-Frame-Options header to "SAMEORIGIN". It is recommended that the application is prevented from being embedded in an iframe to protect against clickjacking. The recommended setting is True.
  • Prevent Career Site in iframe - This setting only applies to Career Site page. When True, this setting prevents the Career Site page from being embedded in an iframe (Inline Frame) by setting the X-Frame-Options header to "SAMEORIGIN". It is recommended that Career Site is prevented from being embedded in an iframe to protect against clickjacking. The recommended setting is True.