Agile Developer

10.6.0.0

Axpert 11.0.0.0
10.9.0.0
10.8.0.0
10.7.0.0
10.6.0.0

What’s New in 10.6?

This provides more information on features and enhancements made in 10.6.0.0.

Features

Axpert on PostgreSQL

Axpert is now compatible with postgreSQL database as it is one of the powerful opensource databases providing responsive framework. This database is highly reliable, robust and offers a great performance.

Use Axpert in mobile

You can now view all your Axpert Web applications in mobile. This version of the app offers a simple and intuitive user experience and is highly scalable and globally available. You can sign-in to your Axpert application in few seconds and connect to your enterprise on-premises or cloud resources to digitally manage and report the operational data in the mobile app.

Enhancements

This section provides more information on the enhancements made in Axpert 10.6.0.0 release.

Optimizing Axpert Performance

Performance improvement, by nature, is iterative. In this release, the concept of postback is removed for NewSearch and Save buttons on the forms. Let us consider a scenario of opening an existing form from the menu or from the search bar. Once the form is loaded, click the New button to open a new form. Axpert now clears data in the existing form and just loads a blank form instead of reloading a new form. This approach not only loads the form instantly, but has also improved the performance of the Axpert to a greater extent. (Note: Axpert loads the new form only when you try to open it from the menu or from the search bar or from the list view.)

Handling US date format elegantly

Axpert now supports mm/dd/yyyy (01/05/2010) format in addition to dd/mm/yyyy (05/01/2010) format. You can configure your date format using Date Format property under Advanced Settings option. After enabling this setting, Axpert displays the date in mm/dd/yyyy format across date fields throughout the application.

AxpertWeb security enhancements

This topic provides more information on how to protect your website/server against various malicious attacks:

  • Cross site scripting (XSS) – This is a code injection attack from the client side. This type of attack occurs when the victim visits the web page or web application that executes the malicious code. Such attacks are common in forums and message boards that prompts you to enter comments.
  • SSL cookies without secure flag set – When you set a secure flag on cookie, browsers do not submit the cookie in any requests that uses an unencrypted HTTP connection. This prevents the attacker to perform the attack. You can set the secure ‘httpCookies’ flag in web.config file following path

‘//configuration/system.web/’ as <httpCookiesrequireSSL=’true/>.

  • OPTIONS Method Enabled – This provides the list of methods that are supported by the web browser allowing attackers to intensify their efforts. It is recommended to disable OPTIONS Method on the web server. You can disable this method in web.config file in following path

‘//configuration/system.web/’ by adding ‘authorization’ as <authorization><deny verbs=”OPTIONS” users=”*”/><deny verbs=”TRACE” users=”*”/><deny verbs=”HEAD” users=”*”/></authorization>

  • BREACH attack – This is basically an attack against HTTP. This attack can hack the sensitive information in as little as 30 seconds. To prevent hacking the sensitive information, turn off HTTP compression in IIS. To disable HTTP compression, refer to [1] or [2].
  • RC4 cipher suites detected – This attack is against TLS that allows an attacker to recover a limited amount of plaintext when RC4 encryption is used. To counteract this attack, stop using RC4 in TLS.

For more information on how to disable RC4, refer to [3].

  • Disclosure of webserver version – Web server often displays what type of server it is, its version no. and the operating system. Attackers use this information and exploit the target web server. It is therefore recommended to limit the information displaying on the server.
  • Application error message – These messages may expose sensitive information about an application’s internal workings to an attacker. To avoid this attack, configure your application properly to log errors to a file and redirect to custom error pages, so configure paths properly in httpErrors and

customErrors with mode=’On’.

  • Unencrypted login request – Unencrypted Login Request is stealing the user credentials such as usernames and passwords that are sent unencrypted to the server for the request. To prevent hacking the credentials, use Secure Socket Layer (SSL).
  • Missing or insecure content-security-policy (CSP) header – CSP is an additional layer of security that is used to prevent XSS and data injection attacks. To enable this header, goto //configuration/system.webServer/httpProtocol/customHeaders path and add the following syntax:

<add name=”Content-Security-Policy” value= “script-src ‘unsafe-inline’ ‘unsafe-eval’ http: https:; style-src ‘self’ ‘unsafe-inline’;font-src *;img-src * data; default-src *;” />

For more information on additional settings, goto [4] You can also verify CSP settings in [5]

  • Missing or insecure “X-XSS-Protection” header – Sometimes browsers, such as Internet Explorer, chrome and safari, prevents loading the page when they deduct XSS attacks. To automate this process, goto //configuration/system.webServer/httpProtocol/customHeaders/ path and use the following syntax: <add name=”X-XSS-Protection” value=”1; mode=block” />

← 10.7.1.0 Release06                                                                                                                           10.6.0.1 Release01