Securing Your Decisions Installation

Last Updated: 12/05/2018 Introduced in Version:

The various settings that you can use to secure your Decisions Platform Installation are:

Secure Cookies: (This will work only on HTTPs)

 

Changes to be made:

C:\Program Files\Decisions\Decisions Web Host\web.config 

C:\Program Files\Decisions\Decisions Web Host\HUI\web.config

Add the line <httpCookies requireSSL=”true” /> in the System.Web Section

Update the Forms Tag as follows <forms loginUrl=”Login.aspx” defaultUrl=”Default.aspx” timeout=”20160″ slidingExpiration=”true” path=”/” name=”WFAuthCookie” requireSSL=”true”/>

 

Setting in Portal Settings:

 

 

Protecting against Cross-frame Scripting (XFS) attacks and clickjacking

Changes to be made: C:\Program Files\Decisions\Decisions Web Host\web.config

 

Add the following:

 

<httpProtocol>

           <customHeaders>

               <add name=”X-Frame-Options” value=”SAMEORIGIN” />

           </customHeaders>

       </httpProtocol>

 

Implemented with the HTTP headers Content Security Policy and Cache Control and x content type options.

 

<httpProtocol>

           <customHeaders>

               <add name=”Content-Security-Policy” value=”default-src ‘self’; script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; img-src ‘self’ ‘unsafe-inline’ data:; style-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; font-src data:; worker-src ‘self’ ‘unsafe-inline’ blob:”  />

               <add name=”X-Content-Type-Options” value=”nosniff” />

           </customHeaders>

       </httpProtocol>

 

Protecting against header injection attacks:

Ensure that you have the Host address setup in your IIS Binding. Note you can set multiple host headers here.

 

Excluding File Extensions

Navigate to System > Settings > Portal Settings under Globalization Settings within the Extensions Not Allowed text box users are able to add extensions within this text box that need to be excluded. 

 

Below is a list of extensions (executable/scripts) which can be restricted:

Additional Resources