Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Anchor
top
top
This topic describes how to set up an XperienCentral installation in a Windows 2012 and 2016 production environment. The result is that all requests for static content (images, style sheets, and so forth) are handled through the web server and requests for dynamic content (XperienCentral’s HTML) are forwarded by the web server to XperienCentral which processes the requests. In this topic, an environment will be created with two host names:

...

Back to top


...

Security Enhancements

...

GX Software constantly performs penetration tests using third parties in order to protect you from the latest security threats. The security tips listed below are frequently updated and added to based on our findings. Please review each tip in order to ensure that your XperienCentral environment is protected from the latest security vulnerabilities.

  • You should install an active virus scanner in the environment where XperienCentral is running. Because files (images, downloads, etc.) can be uploaded to XperienCentral, it is unwise to rely on the client's virus scanner to detect viruses. The installation of the virus scanner is out of scope for the XperienCentral documentation, therefore only this general recommendation is given.

  • To add more enhance security on a DNS level, a DNSSEC (Domain Name Systems Security Extensions) and a CCA CAA (Certification Authority Authorization) should be configured on the domain of a each client's website. This must be configured by the hosting company where with whom the domain is registered. Verify that this is activated for the corresponding website domain.

  • The XperienCentral environment (including Tomcat/Apache) should be isolated (from a security and performance perspective) from other software installations if they reside on the same server. This prevents unauthorized access between applications. When using a dedicated (virtual) server for the XperienCentral installation, this requirement is automatically fulfilled. This ensures that no access is given to other applications on the same server as XperienCentral, and if the website goes down because of performance issues, the other application(s) are not affected.

  • When HTTPS is used in an XperienCentral environment, make sure that the Cipher Suites that the server presents to the browser belonging to the SSL protocol has no weak suites available. Weak suites are a security risk and should not be delivered by the server. You can test the Cipher Suite weaknesses in your environment at ssllabs.com. You can view some examples of an Apache configuration for SSL Cipher Suites at https://ssl-config.mozilla.org/. One such example is:
     


    Code Block
    themeEclipse
    # intermediate configuration - tweak to your own needs
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384


     

     
  • When HTTPS is used, Expect-CT should be added to the response header in order to optimize the security of the SSL connection. This header forces the browser to check the SSL certificate for Certificate Transparency. If the SSL certificate is not transparent, the browser refuses the connection (the enforce option). Add the following header to your Apache configuration in order to enable Expect-CT headers: 

    Expect-CT: max-age=86400, enforce

  • To prevent the malicious use of browser API functions, you should add the response header Feature-Policy to your Apache configuration. This header sets restrictions on the browser API functions. For example, when the browser on a mobile device receives a header with the option camera 'none' then the camera can't be used on that device. The default setting for this header disables all API functions but can of course be customized. GX Software recommends that you add the following header to your default configuration:


    Code Block
    themeEclipse
    Feature-Policy: vibrate 'none'; geolocation 'none'; accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; usb 'none'; vibrate 'none'; vr 'none';



    The full list of options can be found at OWASP Feature Policy



Back to top