Hardening WebViewer Server

This guide details how you can improve the overall security of WebViewer Server in your environemt.

In order to secure your container in your environment, we suggest you do the following.

• Isolate the container from other servers and services
• Only download the container from the Apryse repository
• Do not run it on the same Docker network as other containers
• Do not increase the privileges given to the containers
• Use the most up to date version of Docker and WebViewer Server
• Ensure your host system is up to date, this includes keeping your kernel version up to date
• Do not mount sensitive host system directories onto the container
• Do not add the ability to SSH into containers
• Limit memory and CPU usage to what you want to allow to the server container

For more in depth and general purpose solutions to improving container security, please refer to this guide.

In addition to the to the innate security advantages of containerization, we have taken additional measures for this specific container:

• Restricted permissions within the container on all systems
• Restricted permissions on 3rd party libraries and executables
• Blocked network access for 3rd party libraries
• Configurable security options to improve WebViewer Server security

WebViewer Server is designed to request files from a server. This means that between all clients and the file server, WebViewer Server can expose access to all files on the file server. The common way of dealing with this is to add security to your server. This can be done by:

• Authentication gateway before accessing the server
• Use signed links when retrieving files

If you are concerned with clients still having access to files which they have lost access to we recommend enabling the TRN_FORCE_URL_RECHECK . This will force the file links to be rechecked for validity every time they are requested.

We recommend reviewing our security configuration options to improve web security. We recommend the following options be set within your system.

• INCLUDE_DEMO

Set this to false to prevent vulnerabilities arising from the demo code packaged with WebViewer Server

• TRN_ALLOWED_ORIGINS

Set this to your Webviewer client domain to restrict requests to that domain.

• TRN_FETCH_REQUIRED_ROOTS

Set this to the root of your file server, which will restrict file requests to any other domain.

• Set up SSL for your containers
• Isolate your WebViewer Server from other servers on your network

If you have concerns with cached files being accessible if the link is given out, you can set the following options. Keep in mind these options will come with a loss in performance due to the loss of cache sharing.

• TRN_ENABLE_SESSION_AUTH
• TRN_ENABLE_PER_SESSION_CACHING
• TRN_FORCE_URL_RECHECK