This document describes how to avoid possible security risks when deploying your web reporting application.
See Reporting Security for more information on security considerations related to storing and distributing DevExpress reports.
All reporting controls are protected against injecting and executing custom scripts on the client. The corresponding property values are always encoded on export to HTML.
To ensure that users have access only to authorized reports, do one of the following:
The HTML5 Document Viewer opens reports using one of the following method calls that open a report by its URL:
The specified URL is transmitted to the client thus exposing the information that might be within it, such as your application's internal structure.
Make sure that no sensitive information is present in a report URL. We also strongly recommend that you provide proper authorization logic in your IWebDocumentViewerReportResolver implementation.
To restrict unauthorized access to images on the server, the XRPictureBox.ImageUrl property of the XRPictureBox report control does not accept the "file://" protocol by default (only "http://", "https://" and "ftp://" protocols are enabled). The same applies to the XRRichText report control when images are added using the IncludePicture field.
Enables loading of images from an application's working directory (defined by the AppDomain.CurrentDomain.BaseDirectory property).
Enables loading of images from custom directories (defined using the UrlAccessSecurityLevelSetting.RegisterCustomBaseDirectories or UrlAccessSecurityLevelSetting.RegisterCustomCallback method).
Enables loading of any image from any directory.
The PDF and Excel passwords specified for a report, along with other export options, are always passed in a POST request, preventing the exposure of these passwords in the browser history.
If users share a report, passwords specified for exported to PDF and Excel files will not be exposed in the Web Document Viewer. Should a user have access to documents exported by others, they will not be able to bypass password protection, if default password was used.
To enable passing PDF/Excel passwords specified in the Report Designer to the Web Document Viewer, call the DefaultWebDocumentViewerContainer.EnablePassingExportOptionsPasswordsToClient method of the DefaultWebDocumentViewerContainer class.
Password Security on the Server Side
If you save your report layout to a report definition (REPX) file, it will store PDF/Excel passwords in plain-text. Ensure that only trusted parties have access to report definition files.
To make sure that your application properly implements script security, both the execution of all report scripts and the capability to view and edit scripts in the Web Report Designer are disabled by default.
Be advised that report scripts are not secure and enable them only in a trusted environment.
To learn how to enable scripting in the Web Report Designer, see Scripts Security.