Skip to main content
BuyLog In
Business Intelligence Dashboard
Search in…
Docs > Web Dashboard > ASP.NET MVC Dashboard Extension > Security Considerations
A newer version of this page is available. .
All docs
V21.2
Business Intelligence Dashboard
Get Started
Basic Concepts and Terminology
Common Features
WinForms Dashboard
Web Dashboard
General Information
Create Dashboards on the Web
ASP.NET Core Dashboard Control
ASP.NET MVC Dashboard Extension
Required Client Libraries
Server-Side API Overview
Client-Side API Overview
Integrate the Dashboard Extension into a Project
Designer and Viewer Modes
Load a Dashboard
Themes and Styles
Manage Exporting Capabilities
Manage Dashboard State
Handle and Log Server-Side Errors
Access to Underlying Widgets
Manage Extensions
Localization
Security Considerations
ASP.NET Web Forms Dashboard Control
Dashboard Component for Blazor
Dashboard Component for Angular
Dashboard Component for React
Dashboard Component for Vue
Dashboard Control for JavaScript Applications (JQuery, Knockout, etc.)
Dashboard Backend
UI Elements and Customization
WPF Dashboard Viewer
Visual Studio Integration
Redistribution and Deployment
Video Tutorials
Migration Guides
Examples
End-User Documentation
.NET Framework API Reference
.NET Core API Reference
HTML JS Control API Reference
ASP.NET Client API Reference
Download CHM

Security Considerations in ASP.NET MVC

  • 7 minutes to read

This document describes how to avoid possible security risks when you deploy an ASP.NET MVC application that contains the Web Dashboard.

Data Connection Security

The Web Dashboard needs data connection parameters to get data from certain data sources or to display existing dashboards (for instance, created in the WinForms Designer or in code):

  • Users can create data sources based on predefined data connections in the UI, or you can add predefined data sources in code. For example, DashboardSqlDataSource and DashboardOlapDataSource can require a user name and password.
  • The Web Dashboard control automatically checks whether dashboards contain data connection parameters. In this case, the dashboard does not load and an error message is displayed. In this case, remove all connection parameters from the dashboard definition and keep only the connection name.

The Web Dashboard control does not expose connection strings from Web.config when it operates in Designer mode. You need to use a data connection string provider to avoid data leaks and pass connection parameters safely. You can use a predefined data connection string provider or implement a custom provider:

Use the predefined provider

ConfigFileConnectionStringsProvider is a predefined implementation of a data connection string provider. This provider makes all connection strings in Web.config available and allows users to create new data sources based on connection strings from the configuration file.

Pass the ConfigFileConnectionStringsProvider instance as the DashboardConfigurator.SetConnectionStringsProvider method’s parameter to use this provider.

using DevExpress.DataAccess.Web;
// ...
DashboardConfigurator.Default.SetConnectionStringsProvider(new ConfigFileConnectionStringsProvider());
Implement a custom provider
A custom data connection string provider allows you to add custom logic. For example, you can read connection strings from a custom source or manage connection strings between users. To use a custom connection provider, implement the IDataSourceWizardConnectionStringsProvider interface and pass the created provider to the DashboardConfigurator.SetConnectionStringsProvider method call. See the following topic for details: Register Default Data Connections.

Note

If necessary, you can disable the connection parameter validation using the DashboardConfigurator.PassCredentials property. This property is introduced to prevent passing confidential information to the client side. If this property is enabled, the dashboard will be displayed regardless of whether it contains user credentials. However, we do not recommend that you enable this property in production for security reasons.

Database Security

Enable Custom SQL

The Data Source Wizard initially allows users to construct SQL queries only in the built-in Query Builder. Queries constructed in the Query Builder are guaranteed to be safe because they can contain only a SELECT statement.

Users cannot edit SQL queries in the Query Builder (the default setting). Refer to the following article for information on how to enable users to edit SQL Queries in the UI: Custom SQL Queries. Custom SQL queries are validated before their execution. Please make sure to apply a secure SQL validation that prevents harmful request execution.

We recommend that you utilize the access control functionality of your database management system to achieve the highest level of database security.

Restrict Access to Unauthorized Assemblies

You cannot load custom assemblies that can be referenced by Entity Framework data sources (DashboardEFDataSource) (the default setting).

To permit a user to load a specific assembly, handle the DashboardConfigurator.CustomAssemblyLoading event. An unauthorized attempt to load a custom assembly will result in a CustomAssemblyLoadingProhibitedException.

Restrict Access to External Data Resources

The Dashboard Control gets data from resources stored on the disk or on the Internet. We recommend that you specify access settings for data resources (Excel, Extract, and JSON data sources).

Use the AccessSettings class to explicitly allow the path to the data file. To accomplish this, configure rules in the DataResources property to restrict file system access to the specified folders. You can call the SetRules(IAccessRule[]) method when the application starts to specify rules before a dashboard control sets its rules. The SetRules(IAccessRule[]) method can be called only once at the application startup. Otherwise, the method will raise an exception. Alternatively, you can use the TrySetRules(IAccessRule[]) method, which does not raise an exception.

Data Source Access Rights

These examples show how to configure the Dashboard control so that it loads data in a multi-user environment. You can identify a user in the current session and select which underlying data source is available for this user.

View Example

Database Schema Customization

A custom database schema provider allows you to restrict access to tables, views, stored procedures, and columns in the Query Builder depending on certain conditions (such as user role or connection settings).

The following example shows how to implement a custom database schema provider for SQL Data Sources in ASP.NET MVC:

View Example

Dashboard Parameters Security

A user can get sensitive information from dashboard parameters. Encode the passed parameter value if possible. Do not store any sensitive information in dashboard parameters that isn’t encrypted.

Working Mode Access Rights

The Web Dashboard can act as a designer or viewer. The following modes are available:

Designer
The Web Dashboard works as a designer and allows users to create, edit, and save dashboards. In this mode, the control loads the extensions required to design dashboards. Users can access the Data Source Wizard , preview underlying data, and modify dashboards from storage. The requests from the dashboard backend server can be sent to third-party resources. A user can also switch the control to Viewer mode. This is the default mode.
Viewer
The Web Dashboard works as a viewer and displays dashboards to users. In this mode, the control also loads the extensions required to design dashboards. A user can switch the control to Designer mode.
ViewerOnly
The Web Dashboard does not load the extensions required to design dashboards. Users cannot switch to Designer or Viewer modes on the client.

Warning

The working mode does not influence the server settings. Initially, the server works at the ClientTrustLevel.Full trust level. Verify the trust level and specify which actions a client can initiate on the server.

You can use one of the following ways to prevent inadvertent or unauthorized modifications to dashboards stored on the server:

A list below describes the Web Dashboard’s specifics when it operates in the Restricted mode:

  • Only dashboards stored in dashboard storage can be processed on the client. The designer mode does not work.

  • Calling the IEditableDashboardStorage.AddDashboard and IDashboardStorage.SaveDashboard methods leads to an exception.

  • Information about data sources contained in a dashboard xml definition is not passed to the client when you request a dashboard xml file.

Dashboard Access Rights

The Web Dashboard allows users to open, modify, and create new dashboards. If you want to specify different access rights for different users, create custom dashboard storage (IDashboardStorage or IEditableDashboardStorage), and add the verification in the implemented class.

View Example: ASP.NET MVC - How to implement multi-tenant Dashboard architecture

XSS Security

The HTML-injection is one of the most common types of XSS attack. To prevent this type of injection, make sure that the EncodeHtml property is enabled:

Prevent Cross-Site Request Forgery (CSRF)

Cross-site request forgery (also known as XSRF or CSRF) is a type of malicious exploit of a website where unauthorized commands are submitted from a trusted user. To prevent cross-site request forgery (CSRF) attacks on your web application, use a custom dashboard controller and apply anti-forgery request validation. See the following example for implementation details:

View Example

Cache Security

When Web Dashboard performs data-related operations in client data processing mode, data from a data source can be cached. The Web Dashboard control uses a single cache. The use of separate DashboardConfigurator instances does not create separated caches. Create a custom parameter to specify a different cache for different users.

The following example shows how to use a custom parameter for this purpose:

View Example

// Configure user-specific data caching
private static void DashboardConfigurator_CustomParameters(object sender, CustomParametersWebEventArgs e) {
    var userId = HttpContext.Current.Session["CurrentUser"].GetHashCode();
    e.Parameters.Add(new Parameter("UserId", typeof(string), userId));
}

See the following topic for more information: Dashboard Backend - Manage an In-Memory Data Cache.

See Also