WoodWing Help Center

Elvis 6 security updates overview

Elvis 6 security updates overview

This article describes the security updates for Elvis 6 as published in other locations of the Help Center such as the Elvis 6 Release Notes. Use it as a quick reference to find out if any of the issues affect your Elvis environment.

Important: The default configuration settings of Elvis 6 Server are aimed to keep the system as secure as possible. Change these settings with care and at your own risk.

Security configuration overview

The following is an overview of the security configuration of Elvis 6 Server.

Data changing APIs only accept POST requests

Because of improved security measures in the REST API of Elvis 6, all data changing APIs only accept POST requests, not GET requests. Also, the POST request needs to include a cross-site request forgery (csrf) token.

The csrf token is a unique code which, by including it in the request, also makes the POST request unique and therefore much more secure.

The csrf token is obtained by first logging in to Elvis Server through a POST request. The response that is received will include the csrf token which can then be used in subsequent POST requests as a http header:

"X-CSRF-TOKEN: <some_csrf_token>"

For more information including examples and a list of affected APIs, see Elvis 6 REST API - Performing a POST request with a csrf token.

Cross-origin protection

AJAX calls to Elvis Server are blocked by Web browsers if the Web page that is making the call is not on one of the configured domains. By default, only the server domain is allowed.

Example: If Elvis server is running on http://elvis.yourdomain.com and you want to perform a cross-domain REST search from a Web page hosted on http://www.yourdomain.com, the Web browser will not perform the request.

Note: The same origin policy prevents a document or script loaded from one origin from getting or setting properties of a document from a different origin. (See mozilla.org: Same-origin policy.)

For more information, see Elvis 6 API - cross origin.

Anti-clickjacking headers

Anti-clickjacking headers limit how the Elvis Web client is allowed to be loaded in iframes or other frames.

By default, the Elvis Web client is only allowed to be loaded in a frame originating from the same domain as the server.

It is however also possible to load the Elvis Web client from another domain than the server.

HTML previews

Previews of Web pages (files in .html format) that are stored in Elvis are disabled by default. They can be enabled with limited functionality or with full functionality.

For more information, see:

Log-in blocking

The number of times that a user can attempt to log in is limited.

When incorrect credentials are entered a few times, logging in through the user’s IP address will be blocked for a short period of time.

Various options for this feature can be configured, see the 'log-in throttling' options below.

Security options that may affect your Elvis setup

The following lists some of the security issues that may affect your Elvis 6 environment.

Limited functionality for HTML pages loaded outside the Web client

HTML pages that are stored in Elvis will have limited functionality when they are loaded outside the Web client for use in banners, forms or other objects that depend on JavaScript or external sources. This is because of the Content Security Policy headers which limit what the object is allowed to do. (See HTML previews above.)

Web client prevented from loading in a frame or iframe

If your Elvis installation is used in combination with a solution that loads the Elvis Web client in a frame or iframe, the anti-clickjacking headers will prevent the Web client from being loaded, thereby breaking the integration. (See HTML previews above.)

No preview for Word files and Web pages when Web client is served from a different domain than Elvis Server

If your Elvis Web client is served from a different domain than Elvis Server, the anti-clickjacking headers will prevent previews for Word files (in .doc format) and Web pages (in .html format). (See Anti-clickjacking headers above.)

Additional security settings

Document history

  • 27 July 2017: Added section 'Data changing APIs only accept POST requests.
Was this article helpful?
0 out of 0 found this helpful / Created: / Updated:
Have more questions? Submit a request


Please sign in to leave a comment.