Security Fixes

1. Password value set in cookie

Removed cookies u and p.

2. Security Misconfiguration – Domain Administrator File Dump…/…/…/…/…/

Now gives an error.

3. ASP.NET ViewState Without MAC Enabled

Added –
pages enableViewStateMac=”true” viewStateEncryptionMode=”Always

4. Cookie Without HttpOnly Flag Set

Added HttpOnly flag:
• ecm
• EkAnalytics

5. Cross-Site Request Forgery

Enabled Single Sign-On(SSO). Removed password reset page (settings.aspx) and removed it from the menu. This is not needed in this site.

6. Default Credentials Supported

Changed Builtin password.

7. Default Server Pages Present

Added additional authentication before access is granted.

8. Early TLS Enabled

Disabled TLS version 1.0 and 1.1

9. Frameable Response (Potential Clickjacking) Attach

Added add name=”X-Frame-Options” value=”sameorigin”

10. Information Leakage from Server Response

Removed –

Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET

11. Overly Verbose Error Message

Added –

  1. Generic Error message
  2. Custom Error Page.

12. SSL Cookie Without Secure Flag Set


httpCookies sameSite=”None” requireSSL=”true” httpOnlyCookies=”true

13. User Enumeration

Removed “Error Authenticating User” error message. Generic error message given “Invalid username or password”.

14. Debugging is Enabled

Removed –

15. Improper Session Timeout Configuration

Added a 15 minutes session time out. After 15 minutes of inactivity user is logged out.

16. Insecure Direct Object Reference

Restricted access to site resources (PDF) without authentication.

17. Missing or Misconfigured Content-Security Policy


name=”Content-Security-Policy” value=”default-src * ; script-src * ‘unsafe-inline’ ‘unsafe-eval’; img-src ‘self’; style-src * ‘unsafe-inline’;”

18. Missing or Misconfigured Strict-Transport-Security Header


name=”Strict-Transport-Security” value=”Strict-Transport-Security max-age=31536000; includeSubDomains; preload”

19. Missing or Misconfigured X-Content-Type-Options Header


X-Content-Type-Options nosniff;

This change is creating issues in Content tab in Admin Panel, let us know if this change is not critical and we could revert.

Will discuss with Karen.

20. Missing or Misconfigured X-Frame-Options Header

Added name=”X-Frame-Options” value=”sameorigin

21. No Logout Functionality

Added Logout Functionality.

22. No Password Reset Feature Provided

Enabled Single Sign-On(SSO).  This functionality is not needed in this site.

23. Security Misconfiguration: Public WSDL Access

Disabled web services documentation.

24. Security Misconfiguration: Unauthenticated Access to Config File

Removed version.xml

25. Stacktrace / Overly Verbose Error Message Displayed

26. URL Redirect Abuse

27. Vulnerable Version of the Library ‘jQuery’ Found

Upgraded to the latest version of jQuery version 3.6.0.

28. Vulnerable Version of the Library ‘jQuery-UI’ Found

Upgraded to the latest version of jQuery-UI version 1.12.1.

29. Weak Ciphers

Removed Ciphers that were not required.

30. Weak Session Management – Session not Invalidated


31. Missing or Misconfigured X-XSS-Protection Header

Added add name=”X-XSS-Protection” value=”1; mode-block”

32. Path-relative Style Sheet Import

33. Weak Session Management – Concurrent Sessions Allowed

Enabled Single Sign-On(SSO). Handle this functionality via Identity Provider Session Management.

34. Authentication in Alternative Channel

Removed access to the direct URL to ensure all users enter via the Portal.

35. No Password History Check

Enabled Single Sign-On(SSO).  This functionality is not needed in this site.

36. Password Field with Autocomplete Enabled

Enabled Single Sign-On(SSO).  This functionality is not needed in this site.

Single Sign On

We have configured following IdP metadata –



SAML Attributes required –



The SAML request for Client Provisioning and User Provisioning is the same. Clients will be created automatically if the client is not found.

Client Provisioning will automatically be done, if the SAML attribute Client is not found in Ektron and a new Client will be created.


If FIS team needs access to ADMIN Panel, do let us know.

We will either disable Identity provider redirect on the login page or we could disable redirect for their IP address.