Security

Today the internet is a war zone. As soon as your Axon Ivy Engine is publicly available over the internet bots will scan it to find security holes and try to attack it. It is important that you operate an Axon Ivy Engine in a safe way whether it is running in a relatively “secure” intranet environment or it is accessible via the internet. This chapter describes how to operate an Axon Ivy Engine safely.

1. Run the Axon Ivy Engine behind a fully patched web application firewall (WAF) or at least a reverse proxy server (like NGINX, Apache HTTP Server, or IIS).

2. Disable direct access to the Axon Ivy Engine.

3. Only allow access to the URLs of your application and block all other access.

4. Run the Axon Ivy Engine with a dedicated system user and database users with limited access rights.

5. Run the latest Axon Ivy Engine major version with all updates marked as security-relevant.

6. Only serve users via HTTPS (configured on the reverse proxy).

7. Document and automate the server setup.

8. Ensure that the operations provider performs daily backups (database, relevant engine folders) which can also be restored…

Read more about other security tweaks which you can apply to your Axon Ivy Engine:

• Disable Features
• Permissions
• Security issues
• HTTP Headers
• CSRF Attack Prevention
• Denial of Service (DoS) and Brute Force Attack Prevention