Web Application Security

Security is an important consideration for protecting the integrity and privacy of the data and the resources of your Web application. You should design a security strategy for your Web application that uses tested and proven security solutions, and implement authentication, authorization, and data validation to protect your application from a range of threats.

General Web Application Security Guidelines

• Consider implementing a strong authorization mechanism to restrict resource access and protect business logic.
  • 3rd party enterprise single-sign-on solutions can operate as a authentication and authorization gateway to ArcGIS web application services
• Consider the use of input validation and data validation at every trust boundary to mitigate security threats such as cross-site scripting and code-injection.
• Do not rely on client-side validation only. Use server-side validation as well.
• Consider encrypting any sensitive data that is sent across the network
  • Basic security solutions encrypt username/password info
  • Advanced security solutions incorporate digitally signing (PKI)

Application Development Framework (ADF) Web Application Security Guidance

ArcGIS Server provides security out of the box with no programming needed for ADF based web applications.  Security configuration of web apps in ASP .NET and JavaEE is automated through ArcGIS Manager.

• .NET ADF Security
• Java ADF Security

Rich Internet Application (RIA) Security Guidelines

For newer RIA based web applications based on the REST API such as Javascript, Flex, and Silverlight ESRI has provided code security snippets/examples to accelerate your development efforts. RIA applications such as Flex and Silverlight mitigate a variety of common attack vectors because they run inside a sandbox in the browser, however deploying code onto client-side browsers results in additional security guidelines that should be considered beyond basic web applications:

• Applications run inside a sandbox in the browser, within a memory space isolated from other applications.
• Browsing of the local client file system is restricted.
• Limit access to specialized local devices such as Webcams.
• Limit access to domains other than the one that delivered the application, protecting the user from cross-site scripting attacks
  • This is done via CrossDomain.xml for Flash and ClientAccessPolicy.xml for SilverLight located in the web server root directory
  • ESRI CrossDomain Guidance 
• Be careful when downloading sensitive business logic used on the client because tools are available that can extract the logic contained in downloaded XAML Browser Application (XBAP) and Shockwave Flash (SWF) files.
  • Implement sensitive business logic using Web services.
  • If the logic must be on the client for performance reasons, research and utilize any available obfuscation methods.
    • Issues with obfuscating client-side code
  • To minimize the amount of time that sensitive data is available on the client, utilize dynamic loading of resources and overwrite or clear components containing sensitive data from the browser cache.

ArcGIS Security Token Guidance For REST Based Applications

• For secure solutions, it is not appropriate to embed the username and password for the service into the client-side JavaScript.
• A long-lived token can be obtained from the Token server, and this token may be included in the client-side page. The token is then included in the request for the service.
  • Long-lived tokens are typically not appropriate for solution needs beyond the Basic GIS Security Pattern, due to the possibility of replay attacks where an attacker intercepts data and retransmits it (such as a token allowing access).