We have implemented URL protection on several critical API endpoints. This update introduces a whitelisting requirement for URLs, enhancing the security and integrity of our API interactions. Operators must now explicitly whitelist the URLs to which these endpoints can respond.
Purpose of t
This update is part of our ongoing commitment to security and data protection. By requiring the whitelisting of URLs, we prevent unauthorized redirection and potential phishing attacks. This ensures that only trusted and verified URLs are used in conjunction with our API endpoints.
Affected Endpoints with example path:
- /account/logout?redirectUrl=
- /api/1/sso/saml/logout?redirectUrl=
- /api/1/samp/generateEmail?shipmentId=0&tracker=0&hashIdentifier=0&staticEmail=
- /account/social-login/link?returnPath=
- /api/1/redirect/account/social-login/link?returnPath=
- /redirect/login?returnPath=
- /api/1/redirect/login?returnPath=
- /api/1/redirect/account/register?returnPath=
Actions required
For all existing ticket shops on point of sales:
Step 1: Whitelist the domains and URLs used in the mentioned endpoints and list them in the input box on Gravity tab.
Path; Organizations context > Sales channel > Point of sales > Characteristics > Gravity tab (see 1st image below)
Step 2: Change the label value "config.account.activateValidationRedirectURL" from 'false' to 'true' to put the default limitation into affect (see 2nd image below).
Deadline for activation: For current clients impacted by these changes, a deadline has been established to implement the necessary updates. Beyond this date, the value label will automatically be switched to 'true', resulting in the activation of the default settings. The due date is set for: MISSING decision
For all clients setting up a new ticket shop on the POS:
Step 1: Whitelist the domains and URLs used in the mentioned endpoints and list them in the input box on Gravity tab (see image below).
*No additional actions are required, the feature restriction to limit the traffic is enabled by default.
The whitelisted domains / URLs need to be defined in the section highlighted below under "Domain restrictions"
What happens if you fail to apply the action:
The UR
How to change the label value: