Securing Your Decisions Installation
  • Updated on 19 Mar 2019
  • 1 minute to read
  • Print
  • Dark
    Light

Securing Your Decisions Installation

  • Print
  • Dark
    Light

The various settings that you can use to secure your Decisions Platform Installation are:
Secure Cookies: (This will work only on HTTPs)

Changes to be made:
C:\Program Files\Decisions\Decisions Web Host\web.config
2018-03-23_101229.png

C:\Program Files\Decisions\Decisions Web Host\HUI\web.config
2018-03-23_101116.png

Add the line in the System.Web Section
Update the Forms Tag as follows

<forms loginUrl=”Login.aspx” defaultUrl=”Default.aspx” timeout=”20160″ slidingExpiration=”true” path=”/” name=”WFAuthCookie” requireSSL=”true”/>

Setting in Portal Settings:
2018-03-23_100641.png

2018-03-23_094352.png

2018-03-23_102438.png

Protecting against Cross-frame Scripting (XFS) attacks and clickjacking
Changes to be made: C:\Program Files\Decisions\Decisions Web Host\web.config

Add the following:

<httpProtocol>

           <customHeaders>

               <add name=”X-Frame-Options” value=”SAMEORIGIN” />

           </customHeaders>

       </httpProtocol>

 

Implemented with the HTTP headers Content Security Policy and Cache Control and x content type options.

 

<httpProtocol>

           <customHeaders>

               <add name=”Content-Security-Policy” value=”default-src ‘self’; script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; img-src ‘self’ ‘unsafe-inline’ data:; style-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; font-src ‘self’ data:; worker-src ‘self’ ‘unsafe-inline’ blob:”  />

               <add name=”X-Content-Type-Options” value=”nosniff” />

           </customHeaders>

       </httpProtocol>

Protecting against header injection attacks:
Ensure that you have the Host address setup in your IIS Binding . Note you can set multiple host headers here.
2018-03-23_103134.png

Excluding File Extensions
Navigate to System > Settings > Portal Settings under Globalization Settings within the Extensions Not Allowed text box users are able to add extensions within this text box that need to be excluded. 
2018-11-29_103505-1.png

Below is a list of extensions (executable/scripts) which can be restricted:
2018-11-29_112705.png

Was this article helpful?