Configuring multi-domain integration
When a DigDash dashboard is embedded in a web page hosted on a different server, the browser blocks requests as a security measure.
To allow portlets or dashboards to be displayed on a third-party domain, the following configurations must be carried out.
Web Server Configuration (Nginx)
This step enables the browser to accept responses from the remote DigDash server (the site hosting the dashboard):
Defining authorised domains
In the Nginx configuration file for the site hosting the dashboard, use a `map` block to list the trusted origins. This block must be placed before the `server {}` block or at the start of your configuration file.
default "";
"https://mywebsite.com" $http_origin;
"https://mydashboard.com" $http_origin;
}
Adding Security Headers
Within the `server {}` block of your site hosting the dashboard, add the following directives to authorise access and manage cookies:
add_header Access-Control-Allow-Origin $cors_origin always;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
add_header Access-Control-Allow-Headers "Content-Type, Authorization, x-gwt-module-base, x-gwt-permutation, x-requested-with" always;
add_header Access-Control-Allow-Credentials "true" always;
# 2. Cookie management in embedded mode
location / {
proxy_cookie_path / "/; Secure; SameSite=None;";
}
Restarting the service
To apply the changes, check the configuration and reload Nginx:
sudo service nginx reload
DigDash configuration
After configuring the Nginx server, you must define the authorised URLs within the application to enable protection against CSRF attacks.
- Edit the file/etc/digdash/digdash.properties
Modify or add the following property:
# List of domains separated by a comma
digdash_dashboard.PROP_CSRF_TARGET_ORIGIN=https://mywebsite.com,https://mydashboard.com
Alternatively, you can disable CSRF protection (not recommended):
- Restart the DigDash server:sudo service tomcat10 restart