You are here
Security Guide
MCS is not a commercial web server. MCS essentially operates on the principles of a custom WAF-based web server. Meaning that MCS will validate all inbound URLs rejecting those not compliant with MCS whitelist policy rules (this includes user defined Access Control List (ACL) rules) independently of the browser conformance rules. The MCS WAF is designed to support the principle focus of OWASP(10).
As a case in point Cross-Site Scripting (XSS) is not left to the browser. XSS is integrated into the core MCS process_request() engine by design. The reason for this approach is to ensure that MCS is fully protected from the many different browsers and browser versions, old and new, that can be in use by the client, as well as rogue applications that are not browsers at all. Apps are commonly used by those seeking to do harm. For example, take the use of ../../ syntax in a URL which is a technique used by hackers to get access to the file system outside the security of the webroot. A modern browser will prevent the use of recursive ../.. syntax but an old browser will not, whereas any hack non-browser application is usually designed to exploit such rules. MCS has XSS integrated into the core process_request() engine as part of the WAF support model. This is also true for cross-site forgery (CSF) and XML forwarding (which are options in security settings).
The CSF and XML WAF rules prevent any inbound MCS URLs from being referred and every other type of attack (such as PHP etc.). In other words, MCS will not rely on browser compliance to implement inbound URL security rules. In contrast, the inbuilt MCS WAF policies automatically apply all security rules independently of the client.