General Security Considerations
- 4 minutes to read
This document describes how to avoid possible security risks when deploying your web reporting application.
Review the following topic for information on security issues related to report storage and distribution: Reporting Security.
Cross-site Scripting (XSS) Security
Client-side reporting controls are protected against script injection. Property values are always encoded when they are exported to HTML.
Web End-User Report Designer
Web Document Viewer
Protect Sensitive Information
Ensure Authorized Access
For access control purposes, all operations can be classified by the object that the document viewer processes in a particular operation. The objects are:
- Document export results.
For information on how to implement authorized access to these objects in a reporting application, review the following article: Authorized Access to Reports and Documents in a Web Reporting Application.
Avoid Sensitive Data Exposure Through Report URL
A report URL (report string identifier) is a string that contains a report name, report parameters, and may contain other information. A client method that opens a report sends this string to the server. The string may reveal sensitive information, such as your application's internal structure.
Make sure that the report URL does not contain sensitive information. Implement custom report name resolution services to detect and remove unnecessary information from the report string identifiers. The following services are available:
The IWebDocumentViewerReportResolver service allows you to parse a report name, create a report instance and return it to the calling method. When you have a parameterized report, you can specify parameters in the report name that is passed to the service, and use parameters in the report's constructor.
The ICachedReportSourceWebResolver service returns the CachedReportSourceWeb instance. It has an asynchronous counterpart - the ICachedReportSourceWebResolverAsync service that allows you to build a document asynchronously.
The IReportProvider service has lower priority than the previously mentioned services. However, it is not intended for exclusive use by the Document Viewer. The main advantage of IReportProvider service is that it can be attached to reports created at runtime. The IReportProviderAsync service gives you the benefits of asynchronous operation.
The ReportStorageWebExtension service is called when no other report name resolution services are available. It is designed to get reports from external storage (a file or a database) where they are saved in REPX format. You cannot apply parameters with this service because its GetData method returns a serialized report that is subsequently deserialized using a parameterless constructor.
Ensure Safe Image Loading from URL
The XRPictureBox.ImageUrl property does not accept the "file://" protocol out-of-the-box (it accepts only 'http://', "https://" and "ftp://" protocols). The same rule applies to the XRRichText report control for images in the IncludePicture fields.
To allow the "file://" protocol in image URLs, use the DevExpress.Security.Resources.AccessSettings class to apply access rules that allow image loading from the specified locations.
Protect Passwords on the Client Side
Passwords for PDF and Excel files with other export options are always passed in a POST request to exclude them from the browser history.
If users share a report, passwords specified for PDF and Excel files are not exposed in the Web Document Viewer. A user who has access to documents exported by other users cannot bypass password protection.
Call the EnablePassingExportOptionsPasswordsToClient method at application startup to pass PDF/Excel passwords, specified in the Report Designer, to the Web Document Viewer in the ASP.NET Web Forms & MVC and ASP.NET Core platforms.
Protect Passwords on the Server Side
The report definition (REPX) file stores PDF/Excel passwords in plain text. Ensure that only trusted parties have access to report definition files.
Disable Report Scripts
Report scripts are insecure. Use Expressions or ExpressionsAdvanced data binding modes instead. For more information, review the following help topic: Data Binding Modes.
For security reasons the Web End-User Report Designer is initially configured to prohibit script execution, view, and edit. For information on how to enable scripts in the Web End-User Report Designer, review the following help topic: Scripts Security.