Skip to main content

Ensuring the security of all our customers' applications is a foundational element of the Thinkwise Platform. To maintain the integrity and security of our platform components, we have regular penetration tests conducted by a third party, designed to identify potential vulnerabilities before they can be exploited. We are proud that no exploitable vulnerabilities have ever been found during these tests, reflecting our commitment to security. 

However, ensuring security does not end with the platform components. The infrastructure on which these components are deployed plays a crucial role in maintaining a secure environment. One key aspect of this infrastructure is the web server configuration. Even the most secure platform can be compromised if the underlying web server is not configured correctly. 

 

The Importance of Web Server Security Headers

Among the critical elements of web server configuration are security headers. These headers provide an additional layer of security by controlling how browsers interact with your site. Three of the most important security headers are:

Content Security Policy (CSP)

CSP is a security standard designed to prevent various types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. By specifying which sources of content are trusted, CSP helps to mitigate the risk of malicious content being executed on your website. It significantly reduces the attack surface by limiting the sources from which resources can be loaded.

HTTP Strict Transport Security (HSTS)

HSTS is a policy mechanism that helps protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. By enforcing secure (HTTPS) connections to your server, HSTS ensures that all communications between the browser and the server are encrypted. This prevents sensitive information from being intercepted or tampered with.

Other Security Headers
Headers like X-Content-Type-Options, X-Frame-Options, and X-XSS-Protection prevent various attacks by controlling how browsers handle your website's content. For instance, X-Content-Type-Options prevents MIME type sniffing, X-Frame-Options protects against clickjacking, and X-XSS-Protection enables cross-site scripting filtering.

 

Configuring Your Web Server Correctly

To implement these security measures, your web server must be configured correctly. For Thinkwise applications utilizing IIS (Internet Information Services), we provide comprehensive guidelines to ensure your server is set up to maximize security. Our deployment documentation outlines the necessary steps to configure your IIS web server effectively:

IIS configuration | Thinkwise Documentation (thinkwisesoftware.com)

 

To verify that your security headers are correctly configured, you can use the tool available at SecurityHeaders.com.

By following these guidelines and configuring your web server correctly, you can significantly enhance the security of your Thinkwise deployment. While our platform components are designed to be secure, a properly configured infrastructure is essential to protect your applications and data from potential threats.

Stay secure!

I hope the support from Thinkwise as in documentation will grow a bit more towards Linux/Unix as well. But thanks for the heads up, we were not that secure it appeared. But now we are A+ :)

@Jasper when striving to get an A+ ..  it actually did break the u-GUI. 

 

 

@Jasper when striving to get an A+ ..  it actually did break the u-GUI. 

 

 

Any suggestions on the security headers contents? 

Content-Security-Policy "

  • default-src 'self';
  • script-src 'self';
  • connect-src 'self';
  • img-src 'self';
  • style-src 'self'; > this one needs to have 'unsafe-inline' for the login page te work. 
  • font-src 'self' data:;

" always;

 

Hi Freddy,

The required Content Security Policy for the Universal GUI is documented here.

While it’s true that you cannot achieve an A+ score with this policy, it is necessary because we use Google Fonts in the Universal GUI. Please note that you will also need to change the font-src directive.

For more information, also see this website.

Hi Freddy,

The required Content Security Policy for the Universal GUI is documented here.

While it’s true that you cannot achieve an A+ score with this policy, it is necessary because we use Google Fonts in the Universal GUI. Please note that you will also need to change the font-src directive.

For more information, also see this website.

Ok. Thanks. Could this be placed in a more generic section of the documentation? We don't use IIS, and therefor I probably didn't encounter.  However to advocate, I could have used the search. 

Hi Freddy,

The required Content Security Policy for the Universal GUI is documented here.

While it’s true that you cannot achieve an A+ score with this policy, it is necessary because we use Google Fonts in the Universal GUI. Please note that you will also need to change the font-src directive.

For more information, also see this website.

Applying the suggested CSP headers conform the documentation on NGINX webserver breaks the Universal GUI. The others seem to work fine. 

Reply


Terms & ConditionsCookie settings