The secure system means not only to protect data but, first of all, to ensure a continual operation of the business solution or any other on-line activity alone. The CMS WebJET and all its regularly updated distributed versions include a number of operational security benefits of an audited system.
Total operational security of a website consists of:
- Security of operational system
- Security of applications running under the given operational system (database, other services).
- Security of a web application.
Disruption of any of the above listed elements causes instability of the entire on-line system, and therefore it is necessary to minimize risks in each of these areas. The security of the operational system and running services is provided by IT department of the hosting organization; if required, we deliver the services of our specialists. CMS as a web application offers a standard, verified by many years of experiences in this area.
Security solutions of CMS WebJET
CMS WebJET is regularly tested by penetration/security tests and contains a number of protective solutions, for instance:
- SQL Injection – database uses Prepared Statement, in which it is not possible to perform SQL Injection attacks and gain sensitive data.
- Cross-site Scripting (XSS) – CMS WebJET includes detection and filtering of banned characters and audits of XSS attacks.
- Cross-site Request Forgery (CSRF) – the access to administrator´s area is checked for CSRF attack and sites are not allowed to insert frames in order to prevent Click Jacking; the web applications can use CSRF tokens to protect the forms.
- Session Stealing - session is linked to an IP address; it is not possible to use session cookie at will; the application is also protected against Session Fixation attack.
- Denial of Service (DOS) – forms and application modules contain integrated control limiting the number of dispatching and the speed of forms dispatching, which limits the load to the server during the demanding operations.
- Distributed Denial of Service (DOS) - CMS WebJET supports operations using fast reverse proxy to provide high-performance website with limited number and speed of single HTTP requests.
- Brute Force – when entering incorrect username or password, another trial to log in is restricted and cannot be executed for a defined period of time. The system generates a unified response to incorrect username or password, so it is not possible to identify which one is not correct.
- File Extension Handling – integrated check of uploaded files, which disables upload of files with dangerous extensions; for forms, there is an option to define safe extension and maximum file size.
- Cross-site Tracking (XST), HTTP Methods Testing – checking of dialled HTTP methods; WebJET allows only necessary GET and POST methods.
- Logging in to administrator´s area can be restricted to selected IP addresses; there is an option to enforce a secure connection.
- Credentials transport – each website can be set to request a secure connection; domains with available SSL certificate can be set to dispatch standard forms through a secure connection. Any part of a part of a web presentation in CMS WebJET can be password protected either on the section level or on separate web page level. The same level of protection can be set for physical files designated for download.
- Multiplatform - CMS WebJET can run under Windows or Linux/Unix - no code modifications are needed. If, in near or distant future, your company decides that Windows is not a platform with sufficient protection against external attacks, CMS can be easily transferred to Linux platform.
- Auditing – all operations on the front-end and back-end levels are recorded in so-called logs. The operations recorded in logs can be distinguished also according to a user who performed the operation.
- Application logic is divided into two parts based on the Model View Controller paradigm: the business layer (database operations) is separated from the presentation layer (HTML code). At the same time, the business layer is on the server in a compiled form and it cannot be modified directly.
If there are specific security demands, we design and implement customized security solution of your website or administrator´s area.
Logging in and password security
CMS WebJET standard logging requires a username and a password. Based on the authorizations, the logging is then verified and the access is either granted or denied. All passwords stored on the web server are hashed using the salt.
To increase security, an encrypted HTTPS protocol can be used, in which the entire communication between a guest´s server and the web server is encrypted. Registration mechanism can be further enhanced by an authenticating SMS.
Regular security audit
Due to its modularity, CMS WebJET is a successful solution for smaller businesses as well as for corporations and banks. For banks, the system is regularly audited by independent companies in order to meet strict security criteria. Potential issues revealed during the audit are corrected and improvements are included in standard installations for other customers, so small and medium size companies gain the same advantages of the audited system.
CMS WebJET provides a high-standard security.