Chat now with support
Chat with Support

Identity Manager 8.2.1 - Web Designer Web Application Configuration Guide

About this guide Configuring the Web Portal WebAuthn security keys Multi-factor authentication Configuring the Application Governance Module Configuring the Password Reset Portal Recommendations for secure operation of web applications

Disable automatic password storage

Use this setting to prevent auto-filling of your user data on the login page. This setting is made in the Web Designer and can help running of web applications more securely.

Table 16: Configuration parameter for disabling automatic password storage

Configuration parameter

Description

VI_Common_Login_PrefillLoginData

Prevents auto-filling user data on the login page.

To disable automatic password storage

  1. Open the Web Designer.
  2. In the menu bar, select the Edit > Configure project > Web project menu item.
  3. On the Configure Project tab, search for "VI_Common_Login_PrefillLoginData".
  4. In the Allow prefill of login data key, in the Value (custom) column, click .

This sets the default value to "false". This disables automatic password storage.

Disabling the HTTP request method TRACE

The TRACE request allows the path to the web server to be traced and to check that data is transferred there correctly. This allows a trace route to be determined at application level, meaning the path to the web server over various proxies. This method is particularly useful for debugging connections.

IMPORTANT: TRACE should not be enable in a productive environment because it can reduce performance.

To disable the HTTP request method TRACE using Internet Information Services

  • You will find instructions by following this link:

https://docs.microsoft.com/en-us/iis/configuration/system.webserver/tracing/

Using HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS) is a security mechanism for HTTPS connections. is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. For example, a server could send a header "Strict-Transport-Security" to the user's browser such that in future, at a defined time (max-age), this domain should exclusively use encrypted connections. This setting can be optionally extended by the parameter includeSubDomains to all subdomains. This means that not only https://example.org is taken into account but also https://subdomains.example.org.

To enable HSTS

  1. Open the configuration file web.config for the chosen web application.
  2. Set the HTTP Response Header to Strict-Transport-Security and the value maxage = expireTime.

    For more detailed information about setting the HTTP Response Header, see https://docs.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/site/hsts.

Disabling insecure encryption mechanisms

It is recommended that you disable all unnecessary encryption methods and protocols on the grounds of security. If you disable redundant protocols and methods, older platforms and systems may not be able to establish connections with web applications anymore. Therefore, you must decide which protocols and methods are necessary, based on the platforms required.

NOTE: The software "IIS Crypto" from Nartac Software is recommended for disabling encryption methods and protocols.

For more information about disabling encryption, see https://www.nartac.com/Products/IISCrypto.

Detailed information about this topic
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating