Security Health Check Tool

The Security Health Check tool enables customers to view and manage their portal’s security settings.

To access the Security Health Check tool, go to Admin > Tools > Core Functions > Security Health Check.

Current Security Health Status

This section displays the following information:

  • Green Settings - This displays the number of settings that are currently aligned with Cornerstone's recommended settings.
  • Yellow Settings - This displays the number of settings that are not currently aligned with Cornerstone's recommended settings and acts a warning that your portal may be exposed to security vulnerability.
  • Red Settings - This displays the number of settings that are currently not aligned with Cornerstone's recommended settings and indicates a critical security vulnerability.
  • Last Security Check - This displays the date on which the security health check was last reviewed and by whom.

We recommend you review all security issues (red and yellow settings) with your IT Security team to evaluate the risk and criticality for your portal.

View and Edit Modification History

A menu icon is available in the upper-right corner of the Security Health Check page. This menu contains the following options:

  • View Modification History - Select this option to view the modification history in a flyout.
  • Export Modification History - Select this option to export the modification history to a Microsoft Excel file.

The Modification History contains the following information:

  • Name of the security setting that was modified
  • Original and updated value for the setting
  • Name of the user who modified the setting
  • Date and time of the update

Recommended Actions

This section displays details of each setting that is not currently aligned with Cornerstone's recommended settings.

Select the Resolve link to view additional details about the setting.

Administrators with the appropriate permissions can edit the setting to the recommended value. See Security Health Check - Resolve a Security Setting.

Secure Settings

This section displays details of each setting that is currently aligned with Cornerstone's recommended settings.

Select the View link to view additional details about the setting and its current configuration.

Available Settings

The following settings are currently available for review in the Security Health Check Tool:

  • AICC Course Session ID Encryption - This setting only applies to AICC and SCORM 1.2 courses. When True, this setting encrypts the session ID sent to AICC and SCORM 1.2 courses. It is recommended that session ID is encrypted to improve data security and reduce the risk of data flowing between user and Cornerstone Learning Management System (LMS) from being compromised. The recommended setting is True.
  • Allow Custom HTML Upload - This setting only applies to Legacy Connect, Knowledge Bank, Universal Profile: Documents, Universal Profile: Feedback, Custom HTML Widget in Communities and ILT room layouts. When False, this setting prevents administrators and moderators from uploading custom HTML files. It is recommended that moderators in these forums are not allowed to upload HTML files to prevent upload of malicious content. The recommended setting is False.
  • Auto-close Browser on Logout - This setting only applies to Internet Explorer and Chrome. When True, this setting automatically closes your browser window, including all tabs open in the browser window, upon logging out of the Cornerstone application. Works natively on Internet Explorer and Chrome browsers but may require configuration on other browsers. It is recommended that your browser is auto-closed upon logout to fully terminate your session and ensure data privacy. The recommended setting is True.
  • Bypass XSS Validation - When False, this setting allows XSS validations to be performed across the application. It is recommended that XSS (Cross-Site Scripting) validations are allowed to prevent exposure to web application attacks such as injection of malicious scripts into your Cornerstone portal. The recommended setting is False.
  • Enable JavaScript on Page Builder - This setting only applies to pages where Page Builder is used (ex: Welcome page, custom pages). When False, this setting prevents the input of JavaScript on pages where Page Builder is used (ex: Welcome page, custom pages). It is recommended that JavaScript is prevented from being input into Page Builder to prevent malicious attacks, such as cross-site forgery. Please note: Bypass XSS Validation is a centralized control governing JavaScript across the application. While Cornerstone recommends that both settings are FALSE, users who choose to enable JavaScript on Page Builder must also have Bypass XSS Validation set to TRUE. The recommended setting is False.
  • Enable reCAPTCHA - This setting only applies to Self Registration, Forgot Password and Job Referral pages. When True, this setting enables the reCAPTCHA control on Self Registration, Forgot Password and Job Referral pages. reCAPTCHA is a CAPTCHA system that distinguishes between human and automated access to the application. It is recommended that reCAPTCHA is enabled to defend against automated attacks. Encode Training Text. The recommended setting is True.
  • Encode Training Text - This setting only applies to LO Details, Transcript Details and Course Console pages. When True, this setting encodes training descriptions and custom fields on the LO Details, Transcript Details and Course Console pages. For customers who embed HTML and script in these LMS fields, markup "</>" will be encoded on output instead of rendered by the browser. It is recommended that training text is encoded to prevent data from being compromised. The recommended setting is True.
  • Encrypt Self Registration URL - This setting only applies to Corporate Self Registration Group and Anonymous User Login pages. When True, this setting encrypts the URLs for Corporate Self Registration Group and Anonymous User Login pages. The unencrypted/generic URL (ex: https://[portalname].csod.com/selfreg/selfreglogin.aspx) will no longer work and users must self register using the encrypted URL (ex: https://[portalname].csod.com/selfreg/selfreglogin.aspx?c=self-reg1). It is recommended that self registration URL is encoded to prevent manipulation of the self registration ID. The recommended setting is True.
  • Encrypt ViewState - When True, this setting encrypts the ViewState. The ViewState is a field used to save the current state of the application. It is recommended that ViewState is encrypted to maintain the confidentiality of the data and reduce the risk of information stored on the ViewState being compromised. The recommended setting is True.
  • Prevent Application in iframe -This setting only applies to pages that require users to be logged in. Public pages that do not require the user to be logged in, such as Login, Forgot Password, Career Site, Self Registration pages, are excluded from this setting. When True, this setting prevents the Cornerstone application from being embedded in an iframe (Inline Frame) by setting the X-Frame-Options header to "SAMEORIGIN". It is recommended that the application is prevented from being embedded in an iframe to protect against clickjacking. The recommended setting is True.
  • Prevent Career Site in iframe - This setting only applies to Career Site page. When True, this setting prevents the Career Site page from being embedded in an iframe (Inline Frame) by setting the X-Frame-Options header to "SAMEORIGIN". It is recommended that Career Site is prevented from being embedded in an iframe to protect against clickjacking. The recommended setting is True.
  • Prevent External URL Redirects - This setting only applies to Online Courses and Evaluations. When True, this setting validates that the Course Launch/Evaluation URL contains a redirect to a valid domain, such as CSOD or CyberU. If the URL is invalid, the user is redirected back to their previous page. It is recommended that the URL redirects are validated to prevent users from being redirected to an untrusted URL. The recommended setting is True.
  • SCORM CMI Data Encryption - This setting only applies to SCORM 1.2 and SCORM 2004 courses. When True, this setting encrypts SCORM CMI data transferred to the server. This includes learner information such as progress, interaction with the content object, success status, and complete status. It is recommended that SCORM CMI data is encrypted to improve data security and reduce the risk of data flowing between user and Cornerstone Learning Management System (LMS) from being compromised. The recommended setting is True.
  • Secure HTML - When True, this setting enables a system wide HTML security processor that strips out unprotected JavaScript tags from textboxes throughout the application. It is recommended that HTML is secured to remove risk of insecure scripts being added to textboxes. The recommended setting is True.
  • Strip unsupported HTML tags (Legacy Connect) - This setting only applies to the following Legacy Connect pages: Post Details, Edit Post, and Old Connect Bio. When True, this setting removes unsupported HTML tags from Legacy Connect Post Details, Edit Post, and Old Connect Bio pages. Using unsupported HTML tags (i.e., those not approved by the HTMLStripper) can pose a security risk by allowing attackers to inject malicious code into Legacy Connect pages. It is recommended that only approved tags are used. The following tags are approved: Br; P; B; I; U; Ul; Ol; Li; S; Em; Strong; Div; Span; Tabe; Th; Td; Tr; Tbody; Tfoot; Thead; Blockquote; H1; H2; H3; H4; H5; H6; Img; Map; Area; A. The recommended setting is True.