...
...
Security Enhancements
GX Software constantly performs penetration tests using third parties in order to protect you from the latest security threats. The security tips listed below are frequently updated and added to based on our findings. Please review each tip in order to ensure that your XperienCentral environment is protected from the latest security vulnerabilities.
- You To enhance security, you should install an active virus scanner in the environment where XperienCentral is running. Because files (images, downloads, etc.) can be uploaded to XperienCentral, it is unwise to rely on the client's virus scanner to detect viruses. The installation of the virus scanner is out of scope for the XperienCentral documentation, therefore only this general recommendation is given.
- To add more enhance security on a DNS level, a DNSSEC (Domain Name Systems Security Extensions) and a CCA CAA (Certification Authority Authorization) should be configured on the domain of a each client's website. This must be configured by the hosting company where with whom the domain is registered. Verify that this is activated for the corresponding website domain.
- The XperienCentral environment (including Tomcat/Apache) should be isolated (from a security and performance perspective) from other software installations if they reside on the same server. This prevents unauthorized access between applications. When using a dedicated (virtual) server for the XperienCentral installation, this requirement is automatically fulfilled. This ensures that no access is given to other applications on the same server as XperienCentral, and if the website goes down because of performance issues, the other application(s) are not affected.
When HTTPS is used in an XperienCentral environment, make sure that the Cipher Suites that the server presents to the browser belonging to the SSL protocol has no weak suites available. Weak suites are a security risk and should not be delivered by the server. You can test the Cipher Suite weaknesses in your environment at ssllabs.com. You can view some examples of an Apache configuration for SSL Cipher Suites at https://ssl-config.mozilla.org/. One such example is:
Code Block theme Eclipse # intermediate configuration - tweak to your own needs SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
- When HTTPS is used,
Expect-CTshould be added to the response header in order to optimize the security of the SSL connection. This header forces the browser to check the SSL certificate for Certificate Transparency. If the SSL certificate is not transparent, the browser refuses the connection (theenforceoption). Add the following header to your Apache configuration in order to enableExpect-CTheaders:Expect-CT: max-age=86400, enforce To prevent the malicious use of browser API functions, you should add the response header
Feature-Policyto your Apache configuration. This header sets restrictions on the browser API functions. For example, when the browser on a mobile device receives a header with the optioncamera 'none'then the camera can't be used on that device. The default setting for this header disables all API functions but can of course be customized. GX Software recommends that you add the following header to your default configuration:Code Block theme Eclipse Feature-Policy: vibrate 'none'; geolocation 'none'; accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; usb 'none'; vibrate 'none'; vr 'none';
The full list of options can be found at OWASP Feature Policy