Hardening WebViewer Server

This guide details how you can improve the overall security of WebViewer Server in your environemt.

Container security

In order to secure your container in your environment, we suggest you do the following.

  • Isolate the container from other servers and services
  • Only download the container from the Apryse repository
  • Do not run it on the same Docker network as other containers
  • Do not increase the privileges given to the containers
  • Use the most up to date version of Docker and WebViewer Server
  • Ensure your host system is up to date, this includes keeping your kernel version up to date
  • Do not mount sensitive host system directories onto the container
  • Do not add the ability to SSH into containers
  • Limit memory and CPU usage to what you want to allow to the server container

For more in depth and general purpose solutions to improving container security, please refer to this guide.

In addition to the to the innate security advantages of containerization, we have taken additional measures for this specific container:

  • Restricted permissions within the container on all systems
  • Restricted permissions on 3rd party libraries and executables
  • Blocked network access for 3rd party libraries
  • Configurable security options to improve WebViewer Server security

File security

WebViewer Server is designed to request files from a server. This means that between all clients and the file server, WebViewer Server can expose access to all files on the file server. The common way of dealing with this is to add security to your server. This can be done by:

  • Authentication gateway before accessing the server
  • Use signed links when retrieving files

If you are concerned with clients still having access to files which they have lost access to we recommend enabling the TRN_FORCE_URL_RECHECK. This will force the file links to be rechecked for validity every time they are requested.

Web Security

We recommend reviewing our security configuration options to improve web security. We recommend the following options be set within your system.

Set this to false to prevent vulnerabilities arising from the demo code packaged with WebViewer Server

Set this to your Webviewer client domain to restrict requests to that domain.

Set this to the root of your file server, which will restrict file requests to any other domain.

Caching Security

If you have concerns with cached files being accessible if the link is given out, you can set the following options. Keep in mind these options will come with a loss in performance due to the loss of cache sharing.

Did you find this helpful?

Trial setup questions?

Ask experts on Discord

Need other help?

Contact Support

Pricing or product questions?

Contact Sales