This article describes inappropriate configurations that can impact the security of an application. Below you can find guidance on how to solve them.
Read more at: Security Misconfiguration - OWASP Documentation
-
Some GeneXus properties can disable controls. Inspect the property values manually before deploying.
-
Set the Javascript Debug Mode property to No.
-
Keep the server software up to date.
-
Avoid installing unnecessary functionalities on the server.
-
Set permissions properly over the application web directories. Check permissions given for the application Temp directories (see Temp media directory and Blob local storage directory properties).
-
Set permissions appropriately for the database user at the minimum needed.
-
Application server and framework hardening are recommended. Some secure deployment configurations can be found in: Configuration for secure deployment using GAM.
-
Change the default cipher keys. Random key generation is advised.
-
Use different cipher keys for each application.
-
Must not have any development/test credentials over the production environment.
-
Security Scanner - Detections:
XML External Entity Prevention Cheat Sheet
Security Scanner helps to detect this scenario with case code #133.
Since
GeneXus 18 upgrade 1.