AWS solutions high security documentation change
Summary
Added new section about XSS protection and server-side HTML sanitization
Security assessment
Explicitly addresses stored XSS vulnerabilities by implementing HTML sanitization with an allowlist approach. Documents specific security controls to prevent client-side script injection.
Diff
diff --git a/solutions/latest/qnabot-on-aws/security-1.md b/solutions/latest/qnabot-on-aws/security-1.md index 2f9a60d9b..258daf66a 100644 --- a//solutions/latest/qnabot-on-aws/security-1.md +++ b//solutions/latest/qnabot-on-aws/security-1.md @@ -7 +7 @@ -Security best practicesAmazon S3 access logging bucket configurationMulti-factor authentication (MFA) in Amazon Cognito user poolsSingle sign-on with AWS IAM Identity CenterAWS WAF for Amazon API GatewayCreating a custom domain in Amazon API GatewayChildren Online Privacy Protection Act (COPPA) settings for Amazon LexAWS CloudFormation parametersAmazon CognitoAWS LambdaIAM rolesCloudWatch LogsData storage and protection +Security best practicesAmazon S3 access logging bucket configurationMulti-factor authentication (MFA) in Amazon Cognito user poolsSingle sign-on with AWS IAM Identity CenterAWS WAF for Amazon API GatewayCreating a custom domain in Amazon API GatewayChildren Online Privacy Protection Act (COPPA) settings for Amazon LexAWS CloudFormation parametersAmazon CognitoAWS LambdaIAM rolesCloudWatch LogsCross-site scripting (XSS) protectionData storage and protection @@ -68,0 +69,4 @@ For QnABot on AWS, CloudWatch Logs are set by default to never expire. You can [ +## Cross-site scripting (XSS) protection + +QnABot on AWS applies server-side HTML sanitization to the `alt.html` and `alt.markdown` response fields to prevent stored XSS attacks. The solution uses an allowlist of safe HTML tags and attributes. If your Q&A responses require custom HTML tags or attributes beyond the defaults, see [Server-side HTML sanitization](./server-side-html-sanitization.html) for instructions on updating the allowlist. +