Security Considerations

This document describes how to avoid possible security risks when deploying a web application containing the ASPxDashboard control or a corresponding MVC extension.

This document consists of the following sections.

Data Connection Security

The Web Dashboard can use different data source types to supply dashboards with data. Certain data sources (such as DashboardSqlDataSource or DashboardOlapDataSource) require establishing a data connection using specific connection parameters. You can provide end-users with the capability to create data sources bases on predefined data connections or you can add the required predefined data sources in code. Use one of the following approaches to provide connection parameters:

Load an Existing Dashboard

You can use the Web Dashboard to display existing dashboards (created for instance, in the WinForms Designer or in code). The Web Dashboard control automatically checks whether or not such dashboards contain data connection parameters. If so, the dashboard will not be loaded and an error message will be displayed. In this case, remove all connection parameters from the dashboard definition and keep only a connection name. Then, provide connection parameters using the approaches described above.

Note

If necessary, you can disable the connection parameter validation using the DashboardConfigurator.PassCredentials property. This property is introduced to prevent passing confidential information to the client side. If this property is enabled, the dashboard will be displayed regardless of whether or not it contains user credentials. However, we do not recommend using this approach in production for security reasons.

KB Article - How to protect parameters used to establish a connection to data

Database Security

Enable Custom SQL

By default, the Data Source Wizard allows only visual construction of SQL queries using the built-in Query Builder. Queries constructed using the Query Builder can only contain a SELECT statement and are guaranteed to be safe.

Manual editing of SQL queries is considered unsafe and is disabled by default in the Web Dashboard's UI. You can enable SQL editing at your own risk using the approach described in the following document: Custom SQL Queries

Important

Custom SQL queries are validated before their execution. Although the default validation mechanism only allows custom queries containing SELECT statements (except for SELECT INTO clauses), it cannot be considered safe, as it does not prevent execution of potentially harmful requests. Before enabling this option, please make sure to apply a secure SQL validation that prevents execution of harmful requests.

It is also recommended that you utilize the access control functionality of your database management system to achieve the highest level of database security.

Restrict Access to Unauthorized Assemblies

Loading of custom assemblies that may be referenced by Entity Framework data sources (DashboardEFDataSource) is forbidden by default.

To permit loading a specific assembly, handle the DashboardConfigurator.CustomAssemblyLoading event. An unauthorized attempt to load a custom assembly will result in a CustomAssemblyLoadingProhibitedException.

Web Dashboard Working Modes

The Web Dashboard can act as the Designer or Viewer and supports the following working modes:

Mode Description
Designer

The Web Dashboard acts as a Dashboard Designer and allows end-users to create, edit and save dashboards. Note that in this case, you can switch to the Viewer mode on the client side.

Viewer

The Web Dashboard acts as a Dashboard Viewer and allows you to display dashboards to end-users. Note that in this case, you can switch to the Designer mode on the client side.

ViewerOnly

The Web Dashboard acts as a Dashboard Viewer without the capability to switch to the Designer mode on the client side. In this mode, the Web Dashboard does not load the extensions required for designing dashboards.

Note that in the WorkingMode.Viewer mode dashboards from a storage can be modified from the client side using an API. Moreover, a client-side API allows you to switch from the WorkingMode.Viewer to WorkingMode.Designer mode. To protect dashboards stored on a server, do one the following:

Dashboard Access Rights

The Web Dashboard allows end-users to open, modify and create new dashboards. If you want to specify different access rights for different users, do one of the following:

See also: How to save dashboards created by end-users to a DataSet

Use Http Handlers

For DevExpress Web Forms Dashboard control to work correctly, when the UseDashboardConfigurator property is set to true, the ASPxHttpHandlerModule should be registered in the Web.config file as a module for resource processing and as a handler for data processing.

The ASPxHttpHandlerModule is automatically registered in this file in the following cases:

  • When you create an application with the Web Forms Dashboard control using DevExpress project templates.

  • When you have the Web Dashboard in ASP.NET WebForms markup and switch to the Design tab in Visual Studio.

You can register a new ASPxHttpHandlerModule that should process requests with the DXDD.axd path as a handler in two sections:

 <system.web>    
    ...
    <httpHandlers>
      ...
      <add type="DevExpress.Web.ASPxHttpHandlerModule, DevExpress.Web.v18.1, Version=18.1.4.0, Culture=neutral, PublicKeyToken=b88d1754d700e49a" verb="GET,POST" path="DXDD.axd" validate="false" />
    </httpHandlers>    
</system.web>
<system.webServer>
    ...
    <handlers>
      ...
      <add type="DevExpress.Web.ASPxHttpHandlerModule, DevExpress.Web.v18.1, Version=18.1.4.0, Culture=neutral, PublicKeyToken=b88d1754d700e49a" verb="GET,POST" path="DXDD.axd" name="WebDashboardHandler" preCondition="integratedMode" />
    </handlers>    
</system.webServer>

All users (including unauthorized) can get access to a dashboard control handler by default. You can limit the access by adding authorization to a dashboard control handler and deny access for all unauthorized users.

<system.web>  
...   
   <authorization>     
       <deny verbs="DXDD.axd" users="?" /> 
   </authorization>
</system.web>

XSS Security

To prevent HTML-injection, which is one of the most common types of XSS attack, make sure that the ASPxWebControl.EncodeHtml property is enabled for the ASPxDashboard control. If you are using the ASP.NET MVC Dashboard extension, check the SettingsBase.EncodeHtml flag for the DashboardExtensionSettings object.

Cache Security

When Web Dashboard performs data-related operations in client data processing mode, data from a data source can be cached. Create a custom parameter to specify a different cache for different user roles.

DashboardConfigurator.Default.CustomParameters += (s, e) => { 
    e.Parameters.Add(new Parameter("UserRole", typeof(string), System.Web.Security.Roles.GetRolesForUser())); 
};