Security
- SAML: The following is available to ease configuration:
- You can create a self-signed SP certificate with the Alfabet Administrator:
- Click the Alfabet Aliases node in the explorer.
- In the toolbar of the view that opens, click Tools > Create self-signed certificate.
- In the editor, provide the following details:
- File Path: Click Select and define a name and location for the file.
- Password: Enter a password for the certificate.
- Issued To: Enter the issuer of the certificate. Server certificates are typically issued to host names, which could be a machine name or domain name.
- Save certificate into Certificate Store: Set the checkmark to store the certificate in the certificate store of your current host.
- The Examples folder of the Alfabet Web Application directory contains a folder Log_SAML containing an appsettings.json file and an alfasettings.json file with the required configuration to use NLog with SAML.
- You can create a self-signed SP certificate with the Alfabet Administrator:
- Only HTTPS is used for connection between client side and the Alfabet Web Application. HTTP is no longer used.
Usage of HTTP can be enforced but this is not recommended.
- Session handling has been enhanced:
- User sessions and allocation of resources only start after user login.
- Only one session is allowed per browser window.
- If the user has opened multiple tabs for the same session and logs out in one tab, the session is closed for all tabs.
- A session is limited to one browser window. Copying a link from one active session to another browser or browser windows will require a re-login in the new browser window.
- The browser cache is cleared at the end of the session.
- The following has been added to the web.config file of the Alfabet Web Application to avoid information disclosure in the HTTP header:
- <system.webServer>
- <httpProtocol>
- <customHeaders>
- <remove name="X-Powered-By" />
- </customHeaders>
- <customHeaders>
- </httpProtocol>
- <httpProtocol>
- </system.webServer>
- <system.webServer>
- To change the default content security policies for the Alfabet Web Application, the following must be included in the alfasettings.config file:
- "AlfabetWebConfig": {
- [....]
- "ContentSecurityPolicyValue":"content security policy directives"
- },