Search

Version: 5.2.1.1+

Applicable to: Futurama Website and Futurama Web API

 

Description

In case the Futurama Website module is used it is possible to configure additional security settings. These settings are set in the security-section of the configuration file. Furthermore, from Futurama 21.03 + also some security settings can be applied for Futurama Web API.

Configuration

Settings

Within the configuration element the next code has to be included:

<configSections>
    <sectionGroup name="futuramaSettings">
        <section name="security" type="ActuIT.Futurama.Library.SecuritySection, ActuIT.Futurama.Library,Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/>
    </sectionGroup>
</configSections>

Next to this code, also within the configuration element the next code has to be included:

<futuramaSettings>
    <security>
        <web verifySessionOnEveryRequest="{true/false}" throttlePage="TooManyUsers.htm" removeRequestParametersOnLogin="{true/false}" 
		onlyAllowCallsToVisibleButtons="{true/false}" maxNumberOfSessions="0" includeIPAddress="{true/false}" 
		allowSettingUservariablesThroughUrl="{true/false}" baseCSPHeader="{Content-Security-Policy header value}" 
		reportOnlyCSPHeader="{true/false}" nonSlidingSessionTimeOut="120"/>
    </security>
</futuramaSettings>

The futuramaSettings element is the general part for more configuration settings. Within this element the server element is set.

Explanation

Within the security/web element some attributes can be set. Below the possible values of these attributes.

verifySessionOnEveryRequest (for Futurama Website)

If set to true, Futurama verifies that subsequent requests are sent by the same user.

includeIPAddress (for Futurama Website)

If set to true, the IP address of the remote user is included in the verification check. If the ip address was changed during the session, the session is aborted and abandoned by Futurama, also if this was unintentionally. For example, a change from a wired to a wireless connection would change the users IP address and thus end the session. In case do not have the security section in your web.config, includeIPaddress defaults to True.

maxNumberOfSessions (for Futurama Website)

This number defines the maximum number of sessions that Futurama allows. The default is 0, and means an unlimited number of sessions. If you specify a number, all requests for new sessions after the maximum number of sessions is reached will be transferred to the defined throttle page. With this setting you can reduce the risk of an attacker trying to flood the server with sessions.

throttlePage (for Futurama Website)

This setting is only used when maxNumberOfSessions is greater than 0. When the maximum number of sessions is reached, the subsequent requests will be transferred to throttlepage. In the example we created a static HTML page TooManyUsers.htm and placed it in the root folder of the Futurama  installation.

allowSettingUservariablesThroughUrl (Futurama 2016.11 +, for Futurama Website)

This setting is for backwards compatibility and is deprecated. The default value is “False”.

onlyAllowCallsToVisibleButtons (Futurama 2016.11 +, for Futurama Website)

This property can be set to False to allow hardcoded links to buttonclick urls where the button is not present on the current page (e.g:

<a href="default.aspx?button=1231">

). The default value is “True”. See for more information the Compatibility paragraph below.

removeRequestParametersOnLogin(Futurama 2018.10 +, for Futurama Website)

This property can be set to True to remove all request parameters when the user is redirected from the login page to the startpage. This setting is only applicable when using Forms Authentication.

baseCSPHeader (Futurama 21.03+, for both Futurama Website and Futurama Web API)

From Futurama 21.03+ it is possible to make web applications CSP proof by specifying this header, that is returned together with the response headers in Futurama Web. CSP stands for Content Security Policy and is used to enhance the security of web pages in modern web browsers. CSP does this by declaring, which resources are allowed to load. The CSP and its directives and format of their values are further described on page https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP. A safe CSP setting is: default-src 'self'.

If this header is specified, the CSP settings are returned in the response headers when a webpage in Futurama is loaded. If in the user's web browser anything happens that violates the specified CSP settings, an error is reported. In a Firefox and Google-Chrome web browser it's possible to view these errors in its console by pressing F12.

In case you want to use CSP an HTTP module (for Futurama Website) and a handler (both for Futurama Website and Futurama Web API) are required. This can be done by adding the following settings to your web.config in case you are using Futurama Website:

<configuration>
	<system.webServer>
		<handlers>
			<add name="FuturamaWebResources" path="WebResource.ashx" verb="*" type="ActuIT.Futurama.Web.WebResourceHandler"/>
		</handlers>
		<modules>
			<add name="ScriptFilter" type="ActuIT.Futurama.Web.ScriptFilter, ActuIT.Futurama.Web" />
		</modules>
	</system.webServer>
</configuration>

In case you are using Futurama Web API the following settings to your web.config has to be included:

<configuration>
	<system.webServer>
		<handlers>
			<add name="FuturamaWebResources" path="WebResource.ashx" verb="*" type="ActuIT.Futurama.Web.WebResourceHandler"/>
		</handlers>
	</system.webServer>
</configuration>

If the baseCSPHeaderis not specified, no CSP settings are returned in the response headers. No CSP will then be used.

reportOnlyCSPHeader (Futurama 21.03+, for both Futurama Website and Futurama Web API)

If baseCSPHeader is specified, this setting tells Futurama 21.03+ whether the CSP settings should only be reported. Possible values are true and false.

If reportOnlyCSPHeader is true, then the header Content-Security-Policy-Report-Only with the CSP settings are returned in the response headers. In this case all the web page's resources will be loaded, regardless of CSP. Only those violating the CSP settings will cause an error to be generated in the web browser's console.

If reportOnlyCSPHeader is false, then the header Content-Security-Policy with the CSP settings are returned in the response headers. This header will reject loading resources violating the CSP settings and also generate error messages in the web browser's console.

nonSlidingSessionTimeOut (Futurama 21.08+, for both Futurama Website and Futurama Web API)

From Futurama version 21.08 and up you can define a hard limit on the session timeout. The default timeout configuration is sliding, that means that if a user performs actions on the website, the session will be extended. With this new setting you can define a hard limit. The value is in minutes. So for example, if you want a timeout of two hours, you specify the value 120. If you combine this with a session timeout of 15 minutes, the behavior will ben that if a user performs no actions, the session will expire after 15 minutes. If a users performs an action every 5 minutes the session will be extended up till the maximum of 120 minutes. 

Compatibility

Before Futurama 16.11, it was possible to generate a tag within the text in an XML Converter that contained a link to a buttonclick (e.g: 'default.aspx?button=3124') which would execute the button click, regardless of the button location. From Futurama 6.0 this is only allowed if the button is present on the current webpage. Older applications that contain links to buttons on other webpages can be made functional by setting the 'onlyAllowCallsToVisibleButtons' to 'False', but this would consist of a security risk. A better solution is by creating a reference to the target button on the desired webpage, and using CSS to make them invisible.

Feedback

If you have any questions about this subject or if you want to provide us feedback please send us an e-mail.

Updated: 2021-03-10