This Admin Instruction explains how to configure domain whitelist and
IMPORTANT: Trusted domains must be added to a domain whitelist! Please note that any Web API / PBX API integration will stop working if the domain is not added.
Created: April 2018
WMS Version: 3.88
Permalink: https://confluence.wildix.com/x/SwBuAQ
Introduction
The main purpose of adding domains to a whitelist is to protect PBX from cross-site request forgery (CSRF) attacks.
How it works:
Generally, web requests are restricted to only the current domain, per the same-origin policy. The same-origin policy is a significant security standard implemented by web browsers to prevent requests against a different origin (e.g., different domain) than the one from which it was served. At the same time, the same-origin policy also prevents legitimate interactions between a server and clients of a known and trusted origin.
To allow such interactions, Cross-origin resource sharing (CORS) is used. It is a standard that allows cross-domain requests. The simplest way is to check that the request originates from a trusted site, using the Origin request header:
Access-Control-Allow-Origin
Configuration of Domain Whitelist
Whitelist is configured in WMS -> Settings -> PBX -> Security.
To configure a domain whitelist:
Enter IP address/ domain name and click + to add the value:
Supported formats of IP address/ domain name:
- http://<domain or IP address> / https://domain or IP address>
- http://<domain or IP address>:port / https://<domain or IP address>:port
Examples:
- https://ucua.wildixin.com/
- https://ucua.wildixin.com:4443/
http://ucua.wildixin.com/
Note: Wildix Portal "https://pbx.wildix.com/" and Wildix Chrome Extension "https://chrome-extension://lobgohpoobpijgfegnlhdnppegdbomkn" are hardcoded in the whitelist, there is no need to add them.
Note: IP range can't be specified in this case. You just need to enter one IP address or domain name.
After you enter all the values, click Save:
To delete the value from the list, click X.