Site Tools

 
 
 

security_considerations

Security considerations

Security features available in eFrontPro

eFrontPro employs elaborate filters to mitigate various kind of attacks, such as XSS, CSRF, SQL injection and others, based on The Open Web Application Security Project guidelines. In addition, the codebase employs various measures in its logic to prevent unauthorised access and privilege escalation.

In addition, there are several tools available to administrators, in order to tailor the security level to their organisation's needs:

White/black listing
  1. IP whitelisting: You can specify any combination of IP addresses or IP spaces (using wildcards) that can access your installation, as a comma-separated list.
  2. Upload files blacklisting: You can restrict the file types allowed to be uploaded by utilising a black list.
Signing in/signing up
  1. Signing up can be restricted to email verification or manual verification
  2. Suspend accounts after failed logins: You can have the system temporarily lock an account after repeated failed login attempts. The account lockout time increases every time.
  3. Prevent users from signing in using the same username: You can restrict different users from using the same account at the same time.
  4. SSO is supported via LDAP or SAML 2
  5. Captcha authentication
Passwords
  1. Password expiration: You can have users' passwords expire after a predefined amount of time.
  2. Restrict reuse of passwords: You can prevent users from reusing the same password when updating it after expiration.
  3. Password length: You can define the minimum password length.
  4. Password rules: You can define arbitrarily complex rules for passwords, using regular expressions.
  5. Force password change upon initial login: You can have users that where registered by an administrator to be forced to update their password the first time they connect.
  6. Passwords are stored hashed using strong algorithms.
2-factor authentication support
  1. Using QR-code via Google Authenticator app
  2. Using an SMS
  3. Using an Email
Access control privileges
  1. You can create user types with restricted access to certain areas of the system.
  2. You can create branches, each having its own, restricted set of access to the system (e.g. specific courses, operations etc).
Malicious usage prevention
  1. XSS filters prevent users from submitting malicious content to your system.
  2. CSRF filters prevent phising attacks or otherwise malicious manipulation of open user sessions.
  3. Protection against session hijacking by utilising recommended counter-measures.
  4. High risk actions (for example, purchase refunds) require that you enter “sudo” mode by re-authenticating.
  5. Prevention of self-XSS (browser console).
Data Encryption
  1. Encrypted database connection configuration file.
Logging and reporting
  1. User actions are kept in the system log for reviewing.
  2. System errors are logged for reviewing, if needed.
SSL
  1. eFrontPro can work under HTTPS right out of the box
System information disclosing
  1. You can optionally prevent all system-generated errors (coming from the underlying system, e.g. PHP errors, SQL errors etc) from reaching the end user.

How to safeguard your system

No application can ever be 100% secure. The following tips will help you keep your environment safe:

  • Remove write access for the web server for any files and folders that the system does not require write access to. See Maintenance for a list of these folders.
  • Make sure that the system where your web and database servers are installed is always up-to-date. Use the latest release of a PHP version that is supported.
  • Anyone with administrator level access in your eFrontPro can install programs using the “Plugins” option. Disable it for administrator users that will not be installing plugins (using custom user types)