Security Considerations

  • 8 minutes to read

This document describes how to avoid possible security risks when deploying a web application containing the ASPxDashboard control or a corresponding MVC extension.

This document consists of the following sections.

Data Connection Security

The Web Dashboard can use different data source types to supply dashboards with data. Certain data sources (such as DashboardSqlDataSource or DashboardOlapDataSource) require establishing a data connection using specific connection parameters. You can provide end-users with the capability to create data sources bases on predefined data connections or you can add the required predefined data sources in code. Use one of the following approaches to provide connection parameters:

  • Create a provider of data connections by implementing the IDataSourceWizardConnectionStringsProvider interface and pass the created provider to the DashboardConfigurator.SetConnectionStringsProvider method. See Register Default Data Connections for details.

  • Add the required connection string to the connectionStrings section in the Web.config file. Note that the Web Dashboard control does not expose connection strings from Web.config by default. Pass the ConfigFileConnectionStringsProvider instance as the ASPxDashboard.SetConnectionStringsProvider / DashboardConfigurator.SetConnectionStringsProvider method's parameter to allow creating new data sources based on connection strings from the Web.config file.

    A code snippet for ASP.NET Web Forms (if you use the ASPxDashboardControl's API):

    using DevExpress.DataAccess.Web;
    // ...
    ASPxDashboard1.SetConnectionStringsProvider(new ConfigFileConnectionStringsProvider());

    A code snippet for ASP.NET Web Forms (if you use the DashboardConfigurator's API) and ASP.NET MVC:

    using DevExpress.DataAccess.Web;
    // ...
    DashboardConfigurator.Default.SetConnectionStringsProvider(new ConfigFileConnectionStringsProvider());

    A code snippet for ASP.NET Core:

    using DevExpress.DataAccess.Web;
    // ...
    .AddDefaultDashboardController(configurator  => {
        configurator.SetConnectionStringsProvider(new DashboardConnectionStringsProvider(Configuration));
  • If the predefined data source is added in code, handle the ASPxDashboard.ConfigureDataConnection / DashboardConfigurator.ConfigureDataConnection event to provide the required connection parameters.

Load an Existing Dashboard

You can use the Web Dashboard to display existing dashboards (created for instance, in the WinForms Designer or in code). The Web Dashboard control automatically checks whether such dashboards contain data connection parameters. If so, the dashboard will not be loaded and an error message will be displayed. In this case, remove all connection parameters from the dashboard definition and keep only a connection name. Then, provide connection parameters using the approaches described above.


If necessary, you can disable the connection parameter validation using the DashboardConfigurator.PassCredentials property. This property is introduced to prevent passing confidential information to the client side. If this property is enabled, the dashboard will be displayed regardless of whether it contains user credentials. However, we do not recommend using this approach in production for security reasons.

KB Article - How to protect parameters used to establish a connection to data

Database Security

Enable Custom SQL

By default, the Data Source Wizard allows only visual construction of SQL queries using the built-in Query Builder. Queries constructed using the Query Builder can only contain a SELECT statement and are guaranteed to be safe.

Manual editing of SQL queries is considered unsafe and is disabled by default in the Web Dashboard's UI. You can enable SQL editing at your own risk using the approach described in the following document: Custom SQL Queries


Custom SQL queries are validated before their execution. Although the default validation mechanism only allows custom queries containing SELECT statements (except for SELECT INTO clauses), it cannot be considered safe, as it does not prevent execution of potentially harmful requests. Before enabling this option, please make sure to apply a secure SQL validation that prevents execution of harmful requests.

It is also recommended that you utilize the access control functionality of your database management system to achieve the highest level of database security.

Restrict Access to Unauthorized Assemblies

Loading of custom assemblies that can be referenced by Entity Framework data sources (DashboardEFDataSource) is forbidden by default.

To permit loading a specific assembly, handle the DashboardConfigurator.CustomAssemblyLoading event. An unauthorized attempt to load a custom assembly will result in a CustomAssemblyLoadingProhibitedException.

Web Dashboard Working Modes

The Web Dashboard can act as the Designer or Viewer and supports the following working modes:

Mode Description
Designer The Web Dashboard acts as a Dashboard Designer and allows end users to create, edit, and save dashboards. You can switch to Viewer mode on the client side from this mode.
Viewer The Web Dashboard acts as a Dashboard Viewer and allows you to display dashboards to end users. You can switch to Designer mode on the client side from this mode.
ViewerOnly The Web Dashboard acts as a Dashboard Viewer without the capability to switch to Designer mode on the client side. In this mode, the Web Dashboard does not load the extensions required for designing dashboards.

Note that in the WorkingMode.Viewer mode dashboards from a storage can be modified from the client side using an API. Moreover, a client-side API allows you to switch from the WorkingMode.Viewer to WorkingMode.Designer mode. To protect dashboards stored on a server, do one the following:

A list below describes the Web Dashboard's specifics when it operates in the ClientTrustLevel.Restricted mode:

  • Only dashboards stored in dashboard storage can be processed on the client. The designer mode does not work.

  • Calling the IEditableDashboardStorage.AddDashboard and IDashboardStorage.SaveDashboard methods leads to an exception.

  • Information about data sources containing in a dashboard xml definition is not passed to the client when you request a dashboard xml file.

Dashboard Access Rights

The Web Dashboard allows end-users to open, modify and create new dashboards. If you want to specify different access rights for different users, do one of the following:

Use Http Handlers

For DevExpress Web Forms Dashboard control to work correctly, when the UseDashboardConfigurator property is set to true, the ASPxHttpHandlerModule should be registered in the Web.config file as a module for resource processing and as a handler for data processing.

The ASPxHttpHandlerModule is automatically registered in this file in the following cases:

  • When you create an application with the Web Forms Dashboard control using DevExpress project templates.

  • When you have the Web Dashboard in ASP.NET Web Forms markup and switch to the Design tab in Visual Studio.

You can register a new ASPxHttpHandlerModule that should process requests with the DXDD.axd path as a handler in two sections:

      <add type="DevExpress.Web.ASPxHttpHandlerModule, DevExpress.Web.v18.2, Version=, Culture=neutral, PublicKeyToken=b88d1754d700e49a" verb="GET,POST" path="DXDD.axd" validate="false" />
      <add type="DevExpress.Web.ASPxHttpHandlerModule, DevExpress.Web.v18.2, Version=, Culture=neutral, PublicKeyToken=b88d1754d700e49a" verb="GET,POST" path="DXDD.axd" name="WebDashboardHandler" preCondition="integratedMode" />

All users (including unauthorized) can get access to a dashboard control handler by default. You can limit the access by adding authorization to a dashboard control handler and deny access for all unauthorized users.

       <deny verbs="DXDD.axd" users="?" /> 

XSS Security

To prevent HTML-injection, which is one of the most common types of XSS attack, make sure that the ASPxWebControl.EncodeHtml property is enabled for the ASPxDashboard control. If you are using the ASP.NET MVC Dashboard extension, check the SettingsBase.EncodeHtml flag for the DashboardExtensionSettings object.

Cache Security

When Web Dashboard performs data-related operations in client data processing mode, data from a data source can be cached. The Web Dashboard control uses a single cache. The use of separate DashboardConfigurator instances does not create separated caches. Create a custom parameter to specify a different cache for different user roles:

DashboardConfigurator.Default.CustomParameters += (s, e) => { 
    e.Parameters.Add(new Parameter("UserRole", typeof(string), System.Web.Security.Roles.GetRolesForUser()));