Security Technologies
This section describes the security technologies used by Promenta Solutions. Please refer to Authorisation sections for SAP Authorisation settings
Note : Promenta Webflow runs completely within the SAP environment (ECC and optionally, Netweaver Portal) and hence inherit security settings from the underlying systems.
Browsers
Access to Promenta webflow is usually via web browsers for the majority of users.
Supported browsers are those supported by SAP for your environment and SAP patch level. See the Product Availability Matrix for more details: https://apps.support.sap.com/sap/support/pam
HTTPS/SSL
Web security such as HTTPS / SSL is provided by the SAP environment itself and is used automatically by Webflow. Promenta recommend HTTPS/SSL for all production systems and a valid SSL certificate is purchased by the customer.
Logon Process
Logon to Promenta Webflow is via the underlying SAP system. However for Web-application-server based installs Promenta do not support “basic authentication” provided by browsers due to its insecurity. Only form-based authentication is supported.
Network
Most Webflow implementations are not exposed directly to the Internet so the security concerns are reduced. However if webflow is on an external facing system then the customer must implement all of SAPs security recommendations for external facing systems:
- Firewall settings
- Proxy servers
- Antivirus
- Security-related OS and database patches
Cross-Site Scripting Protection (XSS)
Webflow contains protection for Cross-Site scripting attacks (XSS). This protection is activated by default. More information about this type of vulnerability can be found here : https://en.wikipedia.org/wiki/Cross-site_scripting
Click-Jack protection
Webflow contains protecton for Click-jack exploits to prevent webflow running within an IFrame of a compromised site. More information about this type of vulnerability can be found here : https://en.wikipedia.org/wiki/Clickjacking
Other security features
Key reference information such as request numbers are encrypted by default in URLs.
Workflow approvals can only be opened by intended recipients