Posted Tue, 10 Dec 2024 17:23:28 GMT by Edwin Fabian Donato TI

Good day,

I have some concerns regarding the security of DocuWare's cloud service and would like to understand how the implemented infrastructure addresses these needs. Additionally, I would appreciate it if you could indicate whether there is any official documentation or additional resources available in the Partner Portal that delve deeper into these topics.

Below are my specific questions:

  1. Content Security Policy (CSP):

    • Why is Content Security Policy (CSP) not enabled in DocuWare to mitigate attacks such as data injection or Cross-Site Scripting (XSS)?
    • Are there any recommendations or alternative configurations that achieve this purpose?
  2. Cookies Without SameSite Attribute:

    • I noticed that the dwingressplatform cookie lacks the SameSite attribute. This could potentially facilitate attacks such as Cross-Site Request Forgery (CSRF). What is the reasoning behind this configuration?
  3. X-Frame-Options Header:

    • Why is this header not configured to prevent 'ClickJacking' attacks?
  4. Timestamp and Version Information Exposure:

    • The servers reveal timestamps and version details in HTTP responses. What is the reason for exposing this information?
    • How can it be justified that such exposure does not facilitate security vulnerabilities?
  5. X-Content-Type-Options Header:

    • This header is not set to nosniff, which could allow attacks such as MIME sniffing. Are there plans to address this risk?
  6. HSTS Protection:

    • How does DocuWare implement HTTP Strict Transport Security (HSTS) to protect against downgrade attacks?
  7. Third-Party JavaScript Files:

    • I have observed that JavaScript files from third-party domains are included. How does DocuWare ensure that these files do not pose a security risk?

I appreciate any clarification or related documentation you can share.

Posted Wed, 18 Dec 2024 00:00:16 GMT by Matthias Wieland Senior Director Support EMEA
Dear Edwin Fabian Donato! It looks like the Community cannot answer your question. That's why we have opened a Support Request with the Number SR-249741-H6V9Q for you. A Software Support Specialist will contact you directly to follow up. We will update this thread with the solution as soon as we have resolved the Support Request. With best regards, DocuWare Support Team

You must be signed in to post in this forum.