Security

Security features available in eFront

eFront employs elaborate filters to mitigate various kind of attacks, such as XSS, CSRF, SQL injection and others, based on The Open Web Application Security Project guidelines.

In addition, the codebase employs various measures in its logic to prevent unauthorized access and privilege escalation.

Moreover, there are several tools available to administrators, in order to tailor the security level to their organization's needs:

White/black-listing

  1. IP whitelisting: You can specify any combination of IP addresses or IP spaces (using wildcards) that can access your installation, as a comma-separated list
  2. Upload files blacklisting: You can restrict the file types allowed to be uploaded by utilizing a black-list

Signing in/signing up

  1. Signing up can be restricted to email verification or manual verification
  2. Suspend accounts after failed logins: You can have the system temporarily lock an account after repeated failed login attempts. The account lockout time increases every time
  3. Prevent users from signing in using the same username: You can restrict different users from using the same account at the same time
  4. SSO is supported via LDAP or SAML 2
  5. Google reCAPTCHA v2 authentication

Passwords

  1. Password expiration: You can have users' passwords expire after a predefined amount of time
  2. Restrict reuse of passwords: You can prevent users from reusing the same password when updating it after expiration
  3. Password length: You can define the minimum password length
  4. Password rules: You can define arbitrarily complex rules for passwords, using regular expressions
  5. Force password change upon initial login: You can have users that were registered by an administrator to be forced to update their password the first time they connect
  6. Passwords are stored hashed using strong algorithms
2-factor authentication support
  1. Using QR-code via Google Authenticator app
  2. Using an SMS
  3. Using an Email
Access control privileges
  1. You can create user types with restricted access to certain areas of the system
  2. You can create branches, each having its own restricted set of access to the system (e.g. specific courses, operations etc)
Malicious usage prevention
  1. XSS filters prevent users from submitting malicious content to your system
  2. CSRF filters prevent phishing attacks or otherwise malicious manipulation of open user sessions.
  3. Protection against session hijacking by utilizing recommended countermeasures
  4. High-risk actions (for example, purchase refunds) require that you enter "sudo" mode by re-authenticating
  5. Prevention of self-XSS (browser console)
Data Encryption
  1. Encrypted database connection configuration file
Logging and reporting
  1. User actions are kept in the system log for review
  2. System errors are logged for review if needed
SSL
  1. eFront can work under HTTPS right out of the box
System information disclosing
  1. You can optionally prevent all system-generated errors (coming from the underlying system, e.g. PHP errors, SQL errors etc) from reaching the end-user

Related articles