WoodWing Help Center

Elvis 5 security updates overview

 

Elvis 5 security updates overview

This article describes the security updates for Elvis 5 as published in other locations of the Help Center such as the Elvis 5 Release Notes. Use it as a quick reference to find out if any of the issues affect your Elvis environment.

Important: The default configuration settings of Elvis 5 Server are aimed to keep the system as secure as possible. Change these settings with care and at your own risk.

Security configuration overview

The following is an overview of the security configuration of Elvis 5 Server.

Cross-origin protection

AJAX calls to Elvis Server are blocked by Web browsers if the Web page that is making the call is not on one of the configured domains. By default, only the server domain is allowed.

Example: If Elvis server is running on http://elvis.yourdomain.com and you want to perform a cross-domain REST search from a Web page hosted on http://www.yourdomain.com, the Web browser will not perform the request.

Note: The same origin policy prevents a document or script loaded from one origin from getting or setting properties of a document from a different origin. (See mozilla.org: Same-origin policy.)

For more information, see Elvis 5 API - cross origin.

Anti-clickjacking headers

Anti-clickjacking headers limit how the Elvis Web client is allowed to be loaded in iframes or other frames.

By default, the Elvis Web client is only allowed to be loaded in a frame originating from the same domain as the server.

It is however also possible to load the Elvis Web client from another domain than the server. For more information, see the changes for Elvis 5.24 below.

HTML previews

Previews of Web pages (files in .html format) that are stored in Elvis are disabled by default. They can be enabled with limited functionality or with full functionality.

For more information, see the changes for Elvis 5.9 and the changes for Elvis 5.13 below.

Log-in blocking

The number of times that a user can attempt to log in is limited.

When incorrect credentials are entered a few times, logging in through the user’s IP address will be blocked for a short period of time.

Various options for this feature can be configured, see the 'log-in throttling' options below.

Security options that may affect your Elvis setup

The following lists some of the security issues that may affect your Elvis 5 environment.

Limited functionality for HTML pages loaded outside the Web client

HTML pages that are stored in Elvis will have limited functionality when they are loaded outside the Web client for use in banners, forms or other objects that depend on JavaScript or external sources. This is because of the Content Security Policy headers which limit what the object is allowed to do. (See HTML previews above.)

Web client prevented from loading in a frame or iframe

If your Elvis installation is used in combination with a solution that loads the Elvis Web client in a frame or iframe, the anti-clickjacking headers will prevent the Web client from being loaded, thereby breaking the integration. (See HTML previews above.)

No preview for Word files and Web pages when Web client is served from a different domain than Elvis Server

If your Elvis Web client is served from a different domain than Elvis Server, the anti-clickjacking headers will prevent previews for Word files (in .doc format) and Web pages (in .html format). (See Anti-clickjacking headers above.)

Elvis 5 Server changes by version

Use the following overview to see which security changes were made for a particular version of Elvis 5 Sever.

Elvis server 5.24 changes

Elvis server 5.13 changes

Elvis server 5.12 changes

Elvis Server 5.10 changes

Elvis Server 5.9 changes

Elvis Server 5.7 changes

Document history

  • 3 May 2017: Added changes for Elvis 5.24.
Was this article helpful?
0 out of 0 found this helpful / Created: / Updated:
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.