Good day,
I have some concerns regarding the security of DocuWare's cloud service and would like to understand how the implemented infrastructure addresses these needs. Additionally, I would appreciate it if you could indicate whether there is any official documentation or additional resources available in the Partner Portal that delve deeper into these topics.
Below are my specific questions:
-
Content Security Policy (CSP):
- Why is Content Security Policy (CSP) not enabled in DocuWare to mitigate attacks such as data injection or Cross-Site Scripting (XSS)?
- Are there any recommendations or alternative configurations that achieve this purpose?
-
Cookies Without SameSite Attribute:
- I noticed that the
dwingressplatform cookie lacks the SameSite attribute. This could potentially facilitate attacks such as Cross-Site Request Forgery (CSRF). What is the reasoning behind this configuration?
-
X-Frame-Options Header:
- Why is this header not configured to prevent 'ClickJacking' attacks?
-
Timestamp and Version Information Exposure:
- The servers reveal timestamps and version details in HTTP responses. What is the reason for exposing this information?
- How can it be justified that such exposure does not facilitate security vulnerabilities?
-
X-Content-Type-Options Header:
- This header is not set to
nosniff, which could allow attacks such as MIME sniffing. Are there plans to address this risk?
-
HSTS Protection:
- How does DocuWare implement HTTP Strict Transport Security (HSTS) to protect against downgrade attacks?
-
Third-Party JavaScript Files:
- I have observed that JavaScript files from third-party domains are included. How does DocuWare ensure that these files do not pose a security risk?
I appreciate any clarification or related documentation you can share.
