Security
This page lists the current security policies enforced throughout our product.
Security headers
Security related headers are added to responses from both the Web (GUI) and API service. The following section describe the available security headers which are enabled by default in Exivity.
Content-Security-Policy
Content-Security-PolicyThe HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (XSS).
X-XSS-Protection
X-XSS-ProtectionThe X-XSS-Protection header is designed to enable the cross-site scripting (XSS) filter built into modern web browsers. This is usually enabled by default, but using it will enforce it.
Strict-Transport-Security
Strict-Transport-SecurityThe Strict-Transport-Security header is a security enhancement that restricts web browsers to access web servers solely over HTTPS. This ensures the connection cannot be establish through an insecure HTTP connection which could be susceptible to attacks.
X-Frame-Options
X-Frame-OptionsThe X-Content-Type-Options header prevents Internet Explorer and Google Chrome from sniffing a response away from the declared Content-Type. This helps reduce the danger of drive-by downloads and helps treat the content the right way.
Feature-Policy
Feature-PolicyThe Feature-Policy header grants the ability to allow or deny browser features, whether in its own frame or content within an inline frame element.
Referrer-Policy
Referrer-PolicyThe Referrer-Policy HTTP header controls how much referrer information (sent via the Referer header) should be included with requests. It is set to strict-origin, which Only send the origin of the document as the referrer when the protocol security level stays the same (HTTPS → HTTPS), but don't send it to a less secure destination (HTTPS → HTTP).
Authentication tokens
API tokens use the widely used JWT encoding format, and we take extra measures to harden the tokens:
Configurable lifetime (defaults to 4 hours)
Configurable storage policy (defaults to session storage)
Revoked at logout
Invalidate all user tokens on request
Client fingerprinting
API rate limiting
All API requests are rate limited to avoid overloading the server. Requests containing a user password in the payload are even further rate limited to mitigate brute-force attacks in user credentials.
User lockout
Users are denied new login attempts for a certain time interval when they use the wrong password several times.
Cross-Origin Resource Sharing (CORS)
Exivity by default only allows CORS requests to its API from the public instance domain. Additional CORS origins may be configured.
Password policy
Password complexity is configurable through a system-wide password policy setting. These policies are currently available:
Policy | Rules |
Length check | Passwords must be at least 8 characters long |
Length and dictionary check | Must pass rules above. Passwords must not be among the most common passwords (top 50.000). |
Length, dictionary and entropy check | Must pass rules above. Passwords must have a Shannon entropy value of at least 3.5. |
CSV injection mitigation
CSV cells should not begin with characters that might allow a CSV injection attach. Any exported data beginning with the following characters are prefixed with an apostrophe (', Unicode U+0027) to disable this:
Equals Sign (
=, UnicodeU+003D)Plus Sign (
+, UnicodeU+002B)Hyphen-Minus (
-, UnicodeU+002D)Commercial At (
@, UnicodeU+0040)
Last updated