Best Practices

This information is still applicable to v6

If your deployment allows for configuring settings outside of the source code (e.g. the Application Settings tab on Microsoft Azure App Services) then this can be used to configure a set of application settings that even the developers won’t have access to.

• Configure another ApplicationSalt (via the Vidyano.ApplicationSalt app setting)

• Set the DiagnosticsToken to a secure random string (Vidyano.Diagnostics token)

• Use a different set of credentials/connection string for the database

• If configured, use another connection string for verbose logging

• Enable the Vidyano.ForceHttps app setting to enable HSTS

• Configure TLS 1.2 to be the minimum TLS version

• Disable the admin user and use another named user that is an administrator or make sure that the password is strong (and different from development)

Automation protection

If the web app is available on the public internet and can be accessed without logging in (e.g. contact form) you should provide extra protection against abuse. This can easily be done by using the Google reCaptcha library to validate the request.

External Audit

Vidyano has been externally audited by The Security Factory, you can read the report here.

“Overall Security Posture

Based on our experience we would rate the security posture of the application in the higher regions of good security.”