Content Delivery security
This section describes the subsystems and services of Content Delivery, the default user accounts used to access and run these subsystems, and the minimal rights, privileges and/or permissions required by an account to operate a subsystem.
- Security settings for Windows and for Unix
The two operating system families each have their own security requirements: - Content Delivery security best practices
Providing a secure environment for Content Delivery depends upon the incorporation of both secure processes and secure systems architecture. This section outlines the best practices for running and managing the Content Delivery platform. - Content Delivery security settings file system permissions
This topic describes the required file system settings for Content Delivery micoservices. - Changing credentials for access to Content Delivery microservices
When you installed the Discovery Service, you were instructed to secure your setup by changing the default passwords of the user accounts set up by default for the various roles. You were also told you could change the set of user accounts as needed. This topic explains how to change the user accounts and/or their passwords after installation. - Configuring refresh token storage and expiration
You can change the expiration time of refresh tokens, and in a scaled-out or Cloud-based setup, you must encrypt your refresh tokens and store them client-side. - Content Delivery microservice SSL security
Content Delivery microservices can be secured using SSL, if you have a private key, a certificate signed and issued by a Certificate Authority (CA), and a keystore containing both of these. You then configure the keystore and other SSL properties in the application.properties file of your microservice. Multiple microservices can share the same keystore, provided that they run on the same machine. Refer to the installation documentation for more information. - Setting up encryption and decryption of sensitive values in a Content Delivery .NET Web application
Put sensitive strings, such as passwords and secrets, in a special section of your Web.config file, and use the aspnet_regiis command to encrypt and decrypt that section of the file. - Content Delivery OAuth authentication framework
Content Delivery components are preconfigured for OAuth authentication by default when you install them. However, if you want to grant affiliate websites or other third-party software components the ability to interact securely with the Content Delivery microservices, those external software components must create a connection to the Content Delivery services manually. - Setting up OAuth authentication on an affiliate website
Set up OAuth authentication on an affiliate website to implement requests that can be authenticated against the Discovery Service. - Disabling OAuth authentication
RWS strongly recommends against disabling OAuth authentication, especially in a production environment. OAuth authentication is set up to work out of the box, so only disable it if you have a pressing reason to do so. OAuth authentication must be switched on everywhere, or switched off everywhere. - Configuring HTTP header validation for the Ambient Data Framework
To guard against HTTP header injection using the session ID and tracking ID, you can configure header validation in the cd_ambient_conf.xml configuration file. - Configuring CORS (Cross-Origin Resource Sharing) for Content Delivery microservices
By default, CORS (Cross-Origin Resource Sharing, also called Cross-Site Resource Sharing) is enabled for Content Delivery microservices, but with wide settings. If you explicitly setcors.enabledtofalse(or remove the property altogether), any CORS-related settings are ignored. You can also make the feature narrower by enabling CORS for specific URLs. - Roles and microservices
In the Discovery Service configuration location, you can edit the configuration file cd_ambient_conf.xml to manage user accounts and their roles. This topic explains the roles that exist and the rights they grant the user. - Configuring Content Delivery databases for integrated authentication
If you are running Content Delivery software as a Windows Service and its database is Microsoft SQL Server, you can use integrated authentication. This applies to the Content Data Store and the Session database. - Security options for OpenSearch in the Cloud
If OpenSearch is set up in the Cloud, most security concerns are delegated to the Cloud, but you can still set up some additional security measures. - Enabling SSL encryption of the connection from microservices to your Microsoft SQL Server database
By default, Content Delivery microservices are configured to connect to a Microsoft SQL Server database without using encryption. If you would prefer to encrypt your connections, you can do so by changing your microservice configurations. This causes the JDBC Driver to use encryption. - Configuring your Content Delivery microservices for TLS v1.2 (Oracle databases)
If you want to use TLS (Transport Layer Security) version 1.2 for all communication between your Content Delivery microservices and your Oracle databases, you need to perform some configuration steps on the database server and in the microservices (database clients). - Enabling Spring Security in Content Delivery microservices
Content Delivery microservices use the Spring framework, for which you can enable security. Securing Spring means, among others, that HTTP headers will be added to your HTTP responses. - Configuring SSRF constraints for the (Session-enabled) Content Service
You can configure Server-Side Request Forgery (SSRF) constraints for the (Session-enabled) Content Service in the application.properties file.