A6:2017 - Security Misconfiguration

Official Content

Actions by GeneXus

  • GeneXus doesn't take any actions over the production environment.

Actions by Developers

  • Some GeneXus properties can disable controls. Inspect the properties values manually before deploy.
  • Configure the JavaScript Debug Mode property on No.
    • Security Scanner helps to detect this scenario with case code #106.
  • Keep updated server's software.
  • Avoid installing unnecessary functionalities on the server.
  • Set properly permissions over the application web directories. Check permissions given for the application Temp directories (see  Temp media directory and Blob Local Storage Directory properties).
  • Set properly permissions for the Data Base User at minimum needed.
  • Application server and framework hardening is recommended.
  • Change the default cipher keys. The random key generation is adviced. 
  • Use different cipher keys for each application.
  • Musn't have any development/test credentials over the production environment.
  • Security Scanner - Detections:
    • Comunication: HTTP Protocol (#105), HttpResponse data type usage (#109).