Web Client - Security Considerations
- Morten Lindequist Køhler
When using a web-based interface to a critical application such as a PIM system, it is important that the security of the data is not compromised.
This page is intended to describe security considerations in relation to the use of Perfion via the Internet. The page is divided in two parts:
Part 1 will focus on a description of how Perfion is built to accommodate for a secure deployment
Part 2 will focus on guidelines for setting up a secure web server with Perfion
Security in the Perfion Web GUI
Application components
The Perfion Web GUI is essentially a server application, with which the individual client/browser interacts:
As such, the Perfion database remains hidden without exposure to the Internet. Security surrounding the database itself is no different from a scenario without the Web GUI, and will not be described here.
The Perfion Web GUI is built using Angular. Angular is a TypeScript-based open-source front-end web application platform led by the Angular Team at Google and by a community of individuals and corporations. Angular has a very wide adoption rate, and is considered industry standard for web applications. We refer to the general Angular community for discussions on built-in security of the framework: Angular .
The hosting of the web server is provided by Microsoft Internet Information Services (IIS). As with Angular, IIS is a widespread industry standard. IIS can be configured in a multitude of ways.
Authentication
When a user connects to the web GUI, the username and password generates a token, which is used for all subsequent communication with the server.
The token is stored in the local browser storage, and cannot be stolen by injection attacks because Angular prevents XSS attacks.
Of course, if an attacker obtains the username and password of a Perfion user, he/she will have the same access rights as the victim. Perfion encourages customers to enforce their own individual password policy.
Development guidelines and principles
Perfions development team adhers to the general principles and best practices described on Angular .
Furthermore, the OWASP developer guide is considered (https://www.owasp.org/index.php/OWASP_Guide_Project), although no formal certification process is in place.
By following the Angular best practices, many previously common pitfalls are avoided. For example, scripting attacks are prevented because all user inputs are treated as unsecure text and HTML/JavaScript symbols are escaped. A deliberate exception from this is the PDF viewer, where the file contents are used as-is. Perfion is not responsible for security risks in the files which the users upload.
Users and data access
All users of the Perfion Web GUI are created like normal users of Perfion. This means that the administrator decides exactly which parts of the database the user can view or edit. Please refer to the Core User Guide for more details on how to restrict users' access.
Any restrictions that would be enforced in the Perfion Windows Client, are also respected in the Web GUI.
Web server security
Microsoft Internet Information Services (IIS) can be configured in a number of ways, depending on the usage scenario and the preferences of the company using it.
In some scenarios, the IIS will only be accessible from the internal network. In these cases, some of the different security measures become less relevant, because access is restricted to machines behind the company firewall.
In other cases, where Internet connectivity is important, more or less drastic approaches can be taken. Perfion always recommends setting up the web server for HTTPS. For added security, it is also possible to create a white-listing of IP addresses or devices which can access the web server. However, it is beyond the scope of this page to address such considerations.
Some good resources for secure setup can be found here:
Â
Â