Document Messenger - Technical Specifications
Document Messenger allows Organisations to electronically correspond with their clients online in a safe and secure environment. It has been designed from the ground up to be a security conscious web application.
The Document Messenger system is a secure web application with the following specification:-
- Server-side ASP.NET Core 2.1 API
- Client-side Angular 7 (continually patched with latest security updates)
- Site is hosted on Microsoft Azure AppService in the UK West region
- We keep the software libraries patched often to stay ahead any of any vulnerabilities that are fixed.
Clients never receive documents or message text directly via email, they only receive notification of a message with a link. In order to access the message (and document) they need to authenticate.
- Documents are stored in Microsoft Azure Blob storage in the UK West region and data is encrypted at rest
- Messages stored in Azure SQL database and all interactions are through EF core ORM - protecting against SQL Injection attacks.
- Documents only accessible via Document Messenger system - never directly in email client
- Uses Identity Server 4 for OpenID Connect and OAuth 2.0 middleware
- Clients can only access system after authentication
- Clients manage their own passwords - no staff interaction
- Strong password rules enforced
All traffic between browser and server is redirected to use the HTTPS protocol so that the data is encrypted before transmission across network using TLS and verified against the identity of the server host using a certificate. TLS help protect against attacks such as a man-in-the-middle attack, where an attacker places himself in between a visitor and a web site, impersonating both - allowing them to tamper with the data, or even just passively listen.
We follow the OWASP Top 10 and try to adhere to their recommendations in the current most critical security risks facing web applications and how to mitigate against them.
The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications minimize these risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.