eFront employs elaborate filters to mitigate various kinds of attacks, such as XSS, CSRF, SQL injection, and others, based on the Open Web Application Security Project guidelines (OWASP).
In addition, the codebase employs various measures to prevent unauthorized access and privilege escalation.
Several tools are available to tailor the security level to your organization’s needs.
White/Black-listing
- IP whitelisting: Specify IP addresses or ranges (using wildcards) allowed to access your portal
- Upload files blacklisting: Restrict allowed file types for uploads
Signing in / Signing up
- Restrict sign-up via email verification or manual approval
- Suspend accounts after failed login attempts (lockout duration increases progressively)
- Prevent concurrent sessions using the same username
-
SSO support:
- LDAP
- SAML 2
- OpenID Connect (OIDC)
- Google reCAPTCHA v2 authentication
- SCIM provisioning for automated user provisioning and lifecycle management
Passwords
- Password expiration after a predefined period
- Prevent reuse of previous passwords
- Configure minimum password length
- Maximum password length (default: 32 characters)
- Define complex password rules using regular expressions
- Force password change on first login
- Passwords are stored hashed using strong algorithms
Two-factor Authentication (2fa)
- Support for:
- Google Authenticator (QR code)
- SMS
- 2FA enforcement via environment variable (enforce_2fa)
- Remember device option for trusted devices
Session & Access security
- Automatic logout / idle session timeout
- Enhanced session security toggle
- Protection against session hijacking using recommended countermeasures
- System lock-down mode to restrict access during critical operations
Access Control Privileges
- Create user types with restricted permissions
- Use branches to control access to content, users, and operations
Malicious Usage Prevention
- XSS filters prevent malicious content submission
- CSRF protection prevents unauthorized actions via active sessions
- Prevention of self-XSS (browser console abuse)
Data Encryption
- Secure handling of sensitive configuration using environment variables
- Secure database connections and encrypted transport
Logging and Reporting
- User actions are logged for auditing
- System errors are logged for troubleshooting
CORS and System Protection
- CORS origins whitelist to control allowed cross-origin requests
- Optional suppression of system-level error messages (e.g., PHP, SQL)
SSL
- Supports HTTPS out of the box for secure communication
System information disclosure
- Prevent system-generated errors from being exposed to end users
| Note : The previous reference to “sudo mode” has been removed as it cannot be verified in the current codebase. |