Skip to main content

IIS web server

The IIS web server is a required component since it provides all user interface modules. It should therefore be carefully protected.

IIS is more than a web server; it is also an FTP server, indexing server, proxy for database applications and a server for active content and applications. Disable these features as Bravura Security Fabric does not use them.

Always deploy a proper, issued-by-a-real-CA SSL certificate to Bravura Security Fabric servers and disable plaintext HTTP access. Never use a self-signed certificate in a user-facing system, as this may condition users to ignore SSL validity warnings.

Assign the IIS user the right to read from but not write to static HTML, image file and Javascript files used by Bravura Security Fabric .

Assign the IIS user the right to execute CGI programs but not other executables on the Bravura Security Fabric filesystem.

Disable directory browsing – there is no reason why a user connecting to the Bravura Security Fabric web portal should be able to list files in any folder.

Secure Content-Security-Policy (CSP) header

The default Content-Security-Policy (CSP) HTTP header shipped with Bravura Security Fabric restricts traffic to only the IIS web server (or load balancer) hosting the product. However, the connect-src directive includes a wildcard (*) so that Bravura Security Fabric works upon installation. Bravura Security recommends replacing this wildcard with only the valid hostnames for your deployment.

Valid hostnames include:

  • The individual instance hostnames of each server (for example, https://fabric-server1.company.com and https://fabric-server2.company.com).

  • The main load balancer hostname (for example, https://fabric.company.com).

  • Any special hosts added to the ALLOWED ORIGINS system variable (Manage the system > Maintenance > System variables).

Harden the connect-src directive

The connect-src directive is the one that needs to be hardened. Leave the other directives as they are unless you have a specific reason to change them. The following example shows a hardened policy with three hostnames:

Content-Security-Policy: connect-src 'self' https://fabric-server1.company.com/ https://fabric-server2.company.com/
      https://fabric.company.com/; default-src 'self'; form-action 'self'; frame-ancestors
      'self'; frame-src 'self' https://www.recaptcha.net/; img-src data: 'self'; object-src
      'none'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://www.recaptcha.net/
      https://www.gstatic.com/recaptcha/; style-src 'self' 'unsafe-inline'; style-src-elem
      'self' 'unsafe-inline'

You can set the CSP in IIS on each server or globally on the load balancer by rewriting the header. To modify the value in IIS:

  1. Open Internet Information Services (IIS) Manager on each server.

  2. In the left panel, expand the server node, then expand Sites, then expand the website where the product is installed (defaults to Default Web Site).

  3. Click the product instance name.

  4. In the center panel, double-click HTTP Response Headers.

  5. Double-click Content-Security-Policy, edit the value, and click OK.

Harden the form-action directive

If you are not using SAML, or are not using SAML with an HTTP/HTTPS POST redirect method, secure the form-action directive by removing the wildcard:

form-action 'self';

If you are using SAML with the HTTP/HTTPS POST redirect method, replace the wildcard with the authentication server URL. A trailing slash may be required on this URL.

form-action 'self' https://customerid.oktapreview.com/app/instanceid_xyz_1/

External images

Profile pictures in user profiles and the OrgChart can be uploaded (served by the same server as the product) or linked from an external directory. If you use an external directory, add the URL to the img-src directive:

img-src data: 'self' http://photos.company.com;

Troubleshooting

Test the CSP value after making changes to ensure Bravura Security Fabric behaves correctly.

Caution

An incorrectly written policy can result in a white screen because no scripts or styles are allowed to load. Use an online CSP validator to check your policy before applying it.

The following type of error appears in the Chrome or Edge console when the CSP has been violated:

Refused to connect to 'https://bravuranode2.company.com/bravura/cgi/ajax.exe?guacamoleplay:guacamoleread' because it violates the following Content Security Policy directive: "connect-src 'self' https://fabric-server1.company.com/ https://fabric-server2.company.com/ https://fabric.company.com/".

Ensure all necessary hostnames are included in the policy.

Upgrading

When upgrading, compare your custom hardened CSP with the new CSP included in the upgrade to ensure all necessary exceptions are present. Save a copy of your existing CSP before upgrading in case the upgrade replaces it.

For more information about Content-Security-Policy, see https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP.

Secure Host header

The Host header in HTTP requests specifies the domain of the resource being requested. If not properly validated, it can be manipulated by attackers, leading to potential security risks such as cache poisoning and password reset link hijacking. To protect your installation of Bravura Security Fabric, ensure that the Host header is validated correctly.

Recommended approach

Configure Host header validation on your load balancer to ensure that all incoming traffic is validated before it reaches your Bravura Security Fabric instances. If you cannot configure this on a load balancer, apply the validation directly on each Bravura Security Fabric instance using IIS URL Rewrite rules.

Configure Host header validation in IIS

If you need to configure Host header validation on each Bravura Security Fabric instance, follow these steps to set up URL Rewrite rules in IIS:

  1. Open Internet Information Services (IIS) Manager on your server.

  2. Navigate to your site:

    1. In the left panel, expand the server node.

    2. Expand Sites to view the list of sites.

    3. Expand Default Web Site.

    4. Click the virtual directory where Bravura Security Fabric is installed.

  3. Double-click URL Rewrite in the middle panel.

  4. Add a new rewrite rule:

    1. Click Add Rule(s)... in the Actions pane.

    2. Select Blank rule and click OK.

  5. In the Name field, type a name such as Validate Host header.

  6. In the Match URL section, type (.*) as the pattern.

  7. Add a condition for Host header validation:

    1. Click Add in the Conditions section.

    2. In the Condition input field, type {HTTP_HOST}.

    3. From the Check if input string drop-down list, select Does Not Match the Pattern.

    4. In the Pattern field, type ^([a-zA-Z0-9-_]+\.)?yourdomain\.com$ (replace yourdomain.com with your actual domain).

  8. Set up the action:

    1. In the Action section, select Redirect as the Action type.

    2. In the Redirect URL field, type your domain address (for example, https://yourdomain.com/). Any request with an invalid host is redirected to this domain.

    3. From the Redirect type list, select Permanent (301).

  9. Click Apply in the Actions pane to save the new rule.

Verification

After configuring Host header validation, test requests with both valid and invalid Host headers to confirm that only valid headers are accepted. This prevents unauthorized access and maintains the security of your Bravura Security Fabric installation.

In this section: