Security Best Practices

It is critical that you maintain a secure environment. We recommend these best practices to maintain a secure environment.

  • Configure HTTPS for all Sequence Sites.
    • Admin
    • Flowtime
    • Other sites
  • Do not disable or overwrite security elements that are part of the Sequence product, in its configuration files, such as EnableViewStateMac.
  • Use OWASP Best Security Practices. This is particularly relevant if you write custom code and extend Sequence.
  • Add validation to form input fields.
  • Do not disable HTML encoding on the data you display to users.
  • When you create forms, do not create security holes. For more information, see the OWASP documentation.
  • If your forms access external systems, verify that these systems are secure,  and the communication between Sequence and these systems is secure.
  • Be mindful of cross-site scripting (XSS). If you want to display user input text as plain HTML (i.e., not in a text box), consider how to display the text without JavaScript or HTML tags.
  • Do not rely on client-side checks and validations. Run the same checks and validations on the server side.
  • For highly-secure environments, we recommend that you disable Form-based authentication. To disable Form-based authentication, remove the Form-based authentication provider from the providers list and disable anonymous access on the Administration and ProcessTOGO sites.