Sofisis Security

This document is a general description of the safety features of Sofisis.

SSL / HTTPS

Sofisis is implemented with HTTPS. This prevents users of malicious networks from detecting authentication credentials or any other information transferred between the client and the server, preventing active network attackers from altering the data sent in any direction.

Cross-site request forgery protection (CSRF)

CSRF attacks allow a malicious user to perform actions using the credentials of another user without the knowledge or consent of that user.

Sofisis has built-in protection against the types of CSRF attacks.

CSRF protection works by searching for a secret in each POST request. This ensures that a malicious user cannot simply "reproduce" a POST form on their website and that another user who logs in submits it involuntarily. The malicious user would have to know the secret, which is specific to the user (using a cookie).

SQL injection protection

SQL injection is a type of attack in which a malicious user can execute arbitrary SQL code in a database. This may result in deletion of records or data leakage.

Sofisis query sets are protected from SQL injection since their queries are constructed using query parameterization. The SQL code of a query is defined separately from the parameters of the query. Since the parameters can be provided by the user and, therefore, unsafe, the underlying database controller escapes them.

Cross Site Script Protection (XSS)

XSS attacks allow a user to inject client-side scripts into other users' browsers. This is usually achieved by storing malicious scripts in the database where they will be retrieved and displayed to other users, or by having users click on a link that will cause the user's browser to execute the attacker's JavaScript. However, XSS attacks can originate from any unreliable data source, such as cookies or web services, provided that the data is not sufficiently disinfected before including them on a page.

Clickjacking protection

Clickjacking is a type of attack in which a malicious site wraps another site in a frame. This attack can cause an unsuspecting user to be tricked into unintended actions at the destination site.

Sofisis contains protection against clicks so that in a compatible browser you can prevent a site from being represented within a frame.

Host Header Validation

Sofisis uses the Host header provided by the client to build URLs in certain cases. While these values ​​are disinfected to prevent Cross Site Scripting attacks, Host can use a false value for cross-site request forgery, cache poisoning attacks and email poisoning links.

Because even seemingly secure web server configurations are susceptible to fake Host headers, Sofisis validates Host headers based on the hosts it has allowed.