Making Easy Project Server More Secure – Safety Tips for Your Web Application
Keeping your Easy Project safe and resilient is as important to us just as it is to you. Therefore, we bring some advice (including strong recommendations). Some tips you may find obvious, however, a good checklist should contain everything.
Data security always matters for all types of organizations and software. For a long time, data security is also one of the most discussed business topics. The more advanced technology we use, the higher the level of data and application protection is generally expected and needed. So why underestimate risks if there is an easy solution for your Easy Project? Secure your business with Easy Project today. Here's how.
1. Use HTTPS connection
- Create a self-signed certificate or buy a trusted one. Instruction on how to create a self-signed certificate can be found here.
- Set up your web-server to hold a secured connection properly. Fully restrict requests from 80 or 8080 ports or set up proper routing of them to a secure port. Detailed instructions for secure Nginx configuration are available directly in the Easy Project installation package under doc/INSTALL.
- In your Easy Project settings (Administration >> Settings), set up the correct protocol type (HTTPS). It's a very important but often missed point. Please remember that not all Easy Project plugins use correct routes from the system. Some of them look only for this specific setting to define what protocol should be used. It is not correct, but it happens. So it is better to be sure the protocol will be always HTTPS.
- To verify the quality of your SSL configuration, you can use tools such as this one.
- If there are any images or other data that you take from other sites (for example, logos, image sources), be sure they use HTTPS protocol as well. Otherwise, it can theoretically cause an obscure breach in your system. You may easily check if everything is ok with your site or not. If there are any sources from HTTP, your browser will highlight your protocol with red color and sometimes it can be crossed out. But overall, this last point is mostly about the education and discipline of your users. Some things can not be forced.
2. Check and divide permissions
- Make sure your application is not running from the root (at least folders public, tmp, files, log). We strongly recommend that the whole application + ruby is installed from a specific user.
- Make sure you don't have permissions like 777 for any application folder. Optimal permissions are 755 or for some files 644.
3. Keep non-used ports closed
- Ask your system administrators or hosting providers to close all non-used ports. Open them only in case you need to update the system, ruby or application.
4. Use strong passwords
- Make sure you don't use the same password for your root server user, root database user, application server user, database application user, and admin or any other user inside your application.
- All passwords should be different, long enough - at least 15 symbols, containing letters, numbers and special symbols...or simply just long. Don't fall into a state of lethargy and make sure you change passwords at least inside the application at least every 6 months.
- More about passwords and authentication in Easy Project is presented in the knowledge base.
5. Update your server and application regularly
- It's very important to keep everything up to date. The world is changing every day. The IT world is changing even quicker.
- Every day new weaknesses are found and new safety protocols are created. If you use outdated applications - you increase the risk of attacks or scams through your server. When is the last time you updated your RubyGems?
6. Be careful with uploaded files
- We recommend you to define file extensions that are allowed to be uploaded to your server. You may do it both from your web-server, or from inside Easy Project (Administration >> Settings >> Files). How to restrict or allow specific file extensions in Nginx you may find here. If you have settings on both at the same time, web-server wins.
- Another option is to deploy an antivirus to check all uploaded files on the server. One free option is ClamAV.
That's not all...
These tips are the minimum that allows an Easy Project admin to sleep peacefully - the application is secure. But naturally, you can add more layers of protection if required (proxy, reverse proxy, VPN, IP filter, etc.).
We can take responsibility for whole server security and implement a number of additional security measures for you at Easy Project Private Cloud. If you have any questions, contact us. Make your Easy Project properly secured.