Application Layer Security
All communications use HTTPS between the browser and client devices. HTTP connections are not supported and will return a permanent redirect to the HTTPS equivalent.
DJ Manager accounts are protected by a secure login.
Users can only be added to the platform by existing users with Administrator level access.
Users can only be removed from the platform by existing users with Administrator level access.
Requests to DJ Manager applications and APIs require users to be authenticated.
Requests are subject to the following validation checks
- The token is valid and has not expired.
- The user has access to the tenant they are requesting data for/trying to update.
- The user has the appropriate privilege for the operation they are performing.
- The request is not a Cross Site Request.
Security and Coding Practices
We adhere to OWASP Secure Coding Practices:
Incoming data is validated on a trusted system (the server) before the data is processed, including expected value, data range, data types
Incoming requests are validated to ensure they are coming from a trusted source.
Dangerous incoming requests that include hazardous characters are rejected where appropriate.
Outgoing data is sanitized to ensure no confidential data is returned.
Data is contextually encoded as it is returned.
Authentication and User Management
Authentication is required for all pages, except those specifically required to have public access.
Authentication is always enforced by the server.
Authentication systems always fail securely.
Passwords are encrypted at rest.
Authentication is only validated when all input has been completed.
Authentication failure does not reveal which part of the data was incorrect.
Passwords are not transmitted to the user via email (except initial credentials)
Passwords are obstructed on the user's screen e.g web forms have input type of 'password'
Passwords can only be reset by users of same user level or above, and a reset password is sent to the user with a secure and unique token.
Session Management uses the server's framework session controls
Sessions are only created on the server
Session domain and path for cookies are restricted appropriately
Sessions are terminated both client and server side when the user logs out
Logout is available from all pages that are protected by authorization.
Session identifiers are not returned in urls, error messages/logs, only in cookies.
Authorization is standardised against the DJ Manager environment.
Access controls all fail securely.
Application access is denied if the application cannot access the security information to validate a user
Authorization is enforced for every request
Users, application data, functions are restricted to authroized users.
All cryptographic processed are performed on the server.
The latest framework cryptographic procedures are used.
Sensitive information is not disclosed on error messages.
All application errors return a generic error message to the user.
Logging is implemented server side.
Sensitive information is not stored in logs, such as session identifiers or passwords.
Logs are only accessible to authorized individuals within the DJ Manager team.
All system exceptions are logged.
Sensitive data is encrypted in transit and at rest.
Server side code is not available to download by the user.
Sensitive data is not included in HTTP GET requests e.g. Passwords
Server access is only permitted by authorized DJ Manager Employees.
DJ Manager where possible enforces that clients use TLS for protection of data in transit.
Failed TLS connections do not fallback to insecure connections.
All authentication mechanisms require TLS.
Sensitive data is always transmitted using TLS.
Servers, frameworks and system components always use the latest approved/stable version.
Servers, frameworks and system components have all critical and high priority patches installed
ASAP once verification has taken place, other patches are installed alongside platform updates.
Development, Testing, Staging and Production environments are isolated.
All changes to code are recorded internally and a sanitised user friendly version is made publicly available with each version release.
DJ Manage uses New Relic and Sentry to monitor the infrastructure and
application performance, any alerts are sent to our development and infrastructure team.
System Backup and Restoration
Databases are backed up on a daily basis and stored in a protected and isolated storage environment.
Databases backups and restorations are regularly tested to ensure that in the event of a system failure, the solution can be recovered.
A backup of the production database is always taken prior to platform updates.