Knowledge Base
  • Select Role
  • English
  • Login

Security Best Practices

The Security Best Practices provides essential recommendations to fortify your system's security within the Joget platform. By implementing these practices, you can safeguard sensitive data, mitigate risks, and ensure a robust application security posture. This section equips you with the necessary tools and strategies to enhance security, protect your valuable information, and maintain the integrity of your applications.

Checking security issues

Ensure your system's security by following these steps:

  1. Log in as an administrator.
  2. Access the Administrator Bar.
  3. Click on Monitor.
  4. Select Governance Health Check.
  5. Under Check Category, choose Security.

SSL configuration

Enabling SSL (Secure Sockets Layer) ensures secure communications between an end user's browser and the server. For detailed instructions on configuring SSL with Tomcat, see the Setting Up SSL on Tomcat guide.

What is SSL?
SSL is the standard security technology for establishing an encrypted link between a web server and a browser. This encryption helps to ensure that all data passed between the web server and browsers remain private and integral.
Without SSL, data transferred between the client and the server is vulnerable to interception by hackers. This risk occurs because data packets are sent in plain text, allowing unauthorized access as they travel from source to destination.

Domain whitelist for API calls

To manage external access to Joget's APIs, configure your API domain whitelist settings. For instructions on whitelisting domains, see API Domain Whitelist in Settings.

Advantage of whitelisting domains
Enabling this feature restricts API communication to only those servers that have been explicitly whitelisted, enhancing your server's security.

Directory user access control

Implement strong password policies to protect user credentials. Use the Security Enhanced Directory Manager for better security and control over user management. Consider enabling Multi-Factor Authentication using TOTP for additional security, which enhances the security of user login information.

Without SSL, login information sent is vulnerable as it is transmitted in clear text.

Process start white list

Control who can start a process instance via Map Participants to Users to ensure only authorized users initiate processes.

UI menu permission control

Manage access to various components in a Joget App through Permission Control. Key areas for permission control include:

  • UI
  • UI Category
  • Form
  • Form Section

Ensure all apps are only listed in the App Center for logged-in users. To set this, go to UI Settings in your app, find Permission Type, and select Logged In User. Secure the UI by default. Initially, set the UI permission to Logged In User. Further secure each UI category, even those that are hidden. The option Hide From Menu under UI Category does not restrict access but merely hides the UI from view. For detailed information, see the Permission Control documentation.

Password encryption

During the application design phase, sensitive information, such as passwords, should be encrypted for security purposes. You can modify the encryption key and salt to enhance security on a Joget DX 8 server.

Important
Changing the key and salt is recommended only during the initial server installation as it renders all existing passwords unusable.
Import/export app
When exporting an app, any stored passwords are encrypted. When importing the app into a different server, you must reconfigure all saved passwords as servers with different keys and salt may render them unusable.

Configuration File Path: \apache-tomcat-8.5.14\webapps\jw\WEB-INF\classes\customApplicationContext.xml Add the following lines to your configuration file:

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd">
  
    <bean id="dataEncryption" class="org.joget.apps.workflow.security.SecureDataEncryptionImpl">
        <property name="salt" value="NEW-VALUE-GOES-HERE"/>
        <property name="key" value="NEW-VALUE-GOES-HERE"/>
    </bean>   
     
</beans>

Replace YOUR-NEW-SALT and YOUR-NEW-KEY with your specific values.

Created by Julieth Last modified by Aadrian on Dec 13, 2024
Tags:
Previous Performance Optimization Techniques in Joget NextTroubleshooting Too Many Connections Error