Provide Enhanced HTML Form Security

Use any of the following procedures to address known security issues with the submission of HTML forms.
Use any of the following procedures to address known security issues with the submission of HTML forms.
Use the "Protect Against Code Injection" Assertion 
By default, the "Protect Against Code Injection" assertion inhibits the submission of HTML tags in the HTML-form data. however, you can restrict any of the following additional character classes: 
  • PHP
  • Shell
  • LDAP
  • DN
  • LDAP Search
  • XPath injection 
Be aware that restricting characters in form data can cause  problems. For example, restricting DN would cause the submission of a callback URL of the format:  https://<domain>:<port>/.
Disable Auto-Complete for the OTK Authorization Server
By default, HTML form auto-complete is enabled. This common browser behavior allows for quicker entry of usernames and passwords.
However, you may wish to disable auto-complete on the OTK Authorization Server Website Template for improved security. 
HTML form auto-complete is used in the OTK Authorization Server Website Template, the OAuth Manager, and the Test Clients. However, the OAuth Manager and Test Clients are for internal use only. Consequently, HTML forms for these they do not typically require the extra security provided by disabling auto-complete.
Turn auto-complete off by editing the 
 element and adding the 
 parameter setting.
OTK Authorization Server Website Template
To disable form auto-complete:
  1. Access
    OTK Authorization Server Website Template
    at OTK/Policy Fragments/configuration/Authorization Server/
  2. Search for "please login". This phrase appears in the first Set Context Variable assertion for the
  3. Copy the assertion. 
  4. Open
    #OTK Authorization Server Website Template
    policy found in OTK/Customizations/Authorization Server/
  5. Paste the assertion.
  6. Double click the assertion and, within the 
     element, add 
    <p>Please login:</p>
    <form action="${location_login_server}" method="POST" class="form-body form-login" style="margin: 0;"
  7. Click
    to close the assertion properties dialog.
  8. Save and Activate